I would like to use SSL VPN (Anyconnect) with the following authentication setup on my ASA's 5510 in failover:
- AAA LDAP to authenticate my users on AD
- machine certificate authentication to verify if a corporate asset connects to the VPN
Without the machine certificate authentication, the setup works very well. All users can authenticate and the VPN connection is established.
As soon as I add the requirement for the machine certificate authentication, it doesn't work any longer.
I've tried this:
- uploaded my root CA certificate to the ASA
- in the properties of my connection profile, I've set the "authentication method" to both
- added the command "ssl certificate-authentication"
When I now try to connect with Anyconnect, I'm unable to select my connection profile. The "Group" field in the Anyconnect client is just blank.
After entering the username and password nothing happens.
After changing the authentication method on the ASA to "AAA", the connection profile shows correctly on the Anyconnect client and I'm able to login.
Any ideas? What are the necessary steps to configure machine certificate authentication + LDAP for Anyconnect SSL VPN?