NEED EXPERT - SSLVPN with MS Cert - Certificate validation failure

pganet123 · ‎01-20-2010

Hello to all

This problem seems to be bothering a lot of the ASA administrators around the world.

It also seems to be coincidences that determines whether or not you will be successful with this setup. (Just have a look at this forum)

Anyway I get this error at the web login page:

"Certificate Validation Failure"

And when debugging (Debug webvpn 255) at the ASA I get the message:

"Embedded CA Server not enabled. Logging out the user."

I did encounter this pain-in-the-ass-issue for the first time when I was testing the AnyConnect Client and the xml profile options, in my testlab.

At my main ASA, at which I (hopefully) will have this service running for my users, it actually works - now with the result that I do not dare to change anything, if it should not work afterwards.

The very strange thing to me is, my testlab is an exact copy of the setup that is working.

My testlab setup:

MS Domain (Enterprise 2003) counts 3 servers, DC/DNS, a CA server, no SubCAs only one Certificate Authority Server, and an IAS server to authenticate the credentials. On the CA server, I have made a duplicate of the RAS and IAS server certificate, which I plan to use for the Identity certificate on the ASA.

ASA5510 version 8.0(4) - it uses the IAS server for telnet and ASDM logins, so that part is working. Also, when setting the Anyconnect Connection Profile to use only AAA to authenticate it is working.

I have tried many times, making new ADs, cleared all config on ASA, set it up from the beginning. Everytime stuck with the certificate validation failure.

I use to manually enroll the certificates on the ASA through the CLI, but have also tried using SCEP. Same result.

Also, when installing certificates on the ASA, I have tried first making one trustpoint for the CA certificate, authenticated succesfully, then making another trustpoint for the Identity certificate, also authenticated succesfully with the CA certificate, and enrolled and imported successfully the duplicate certificate at my CA. Also tried, as this configuration example shows -> http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808b3cff.shtml#step2 - to only make one trustpoint for both certificates.

No matter what I do, I still get that error message.

I have checked the clock numerous times in both the AD and on the ASA - it is correct. Also checked the valid period for all certificates (in the details for the certificates) - it is also correct.

I see NO ERROR messages anywhere but when trying to login at the web login page and through the AnyConnect Client version 2.3 or 2.4, doesn't matter.

I have attached some config output from the ASA. And if anyone should notice, and question, then, Yes - it is my plan to enable the SSLVPN service at the ASAs inside interface. I haven't attached any debug outputs while they all show the same message, "Embedded CA server not enabled...."

My client certificates are attached so please have a look if you can find any errors.

I want to only use the Machine certificate to authenticate the ASA, but just in case I have provided my client with a usercert too.

If you need more to help me out with this, please tell.

Yudong Wu · ‎01-20-2010

from the configuration, you should add command "ssl certificate-authentication" to enable client cert authentication on the related interface.

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s8.html#wp1409102

pganet123 · ‎01-21-2010

Thank you SO much Kevin - that config line solved my problem.

I haven't heard of it before though, didn't think of the fact that Cisco might change the configuration of this setup from 8.0(2).

But this is great - it works now.

Yudong Wu · ‎01-21-2010

Glad the problem has been resolved. Would you mind to mark this question being answered and give it a rate if you want as well?

Thanks for using Cisco Support Community.

pganet123 · ‎01-22-2010

Well, maybe I was too quick before.

The command line you gave me, seemed just to tick the box in asdm, 'Require Client Certificate', which I believe means that, the asa will authenticate the client based on the (in microsoft OS) USER certificate. I want to have only my clients authenticate the asa - with the client's MACHINE certificate.

When I tried the command, 'ssl certificate-authentication interface interface port port', the client I was using had a usercert. This worked. I deleted that usercert and tried again, and it still worked.

Then I picked another machine, with only a machinecert from beginning, and it did not work.

Finally, I reinstalled the OS on the machine that worked, and registered only the machinecert and this did not work.

I see in the AnyConnect's logfiles that it finds the machinecert, based on the certificate matching lines in the xml profile.

I am using AnyConnect v2.4.0202.

Yudong Wu · ‎01-22-2010

If it works when you adding that command and has user cert on PC, does that means your SSL VPN is configured to use user cert for authentication?

Could you please verify it?

pganet123 · ‎01-24-2010

It only works with a usercert.

I have configured, in the xml profile, to use only the machine cert store in windows.

As far as I know, there are no settings in the ASA configuration, that allows you to choose between user or machine authentication on SSL VPN.

Yudong Wu · ‎01-25-2010

Can you post your ASA configuration?

can you try to use user cert (working) and machine cert (not working) and collect the following respectively.

- debug webvpn 255 from ASA

- DART file from anyconnect client.

pganet123 · ‎01-26-2010

Ok here is full config of ASA.

The first debug output is with using only machine cert.

Yesterday I upgraded the ASA image to 8.2(1). (Maybe it would do better, but Im wrong again. I did read the release notes, and based on the solved caveats list, I thought it was worth a try)

After this upgrade im not even able to see the group alias without a user cert.

Thats why the first debug output doesnt show much.

The DART bundle shows connection attemps since 22. january. Only the last attempt is succesful.

I have attached the xml profile as well. (Testlab.xml)

pganet123 · ‎01-26-2010

And just for the sake...

This test machine I'm using has never had a user cert registered before.

Then, after registering a user cert and verified that it is working to establish a VPN connection through AnyConnect, I deleted the user cert.

But now the test machine is still able to establish a VPN connection. From the logs I see it chooses the machine cert.

I don't know who needs to respond to this bug, Microsoft or Cisco, but something is not running as supposed to.

Yudong Wu · ‎01-26-2010

Per your configuration, you are using both aaa and certificate for authentication.

If authentication certificate is enabled like in your configuration, you do need the command which I mentioned before.

Back to the certificate, to my knowledge, anyconnect client could use both user cert and machine cert. It will search the certificate store to find the one which can be used.

You can open a case with TAC to investigate this furhter.