AnyConnect - Machine certificate authentication + LDAP AAA

Unanswered Question
Feb 3rd, 2010

Hi all,

I would like to use SSL VPN (Anyconnect) with the following authentication setup on my ASA's 5510 in failover:

- AAA LDAP to authenticate my users on AD

- machine certificate authentication to verify if a corporate asset connects to the VPN

Without the machine certificate authentication, the setup works very well. All users can authenticate and the VPN connection is established.

As soon as I add the requirement for the machine certificate authentication, it doesn't work any longer.

I've tried this:

- uploaded my root CA certificate to the ASA

- in the properties of my connection profile, I've set the "authentication method" to both

- added the command "ssl certificate-authentication"

When I now try to connect with Anyconnect, I'm unable to select my connection profile. The "Group" field in the Anyconnect client is just blank.

After entering the username and password nothing happens.

After changing the authentication method on the ASA to "AAA", the connection profile shows correctly on the Anyconnect client and I'm able to login.

Any ideas? What are the necessary steps to configure machine certificate authentication + LDAP for Anyconnect SSL VPN?

Many thanks!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Ivan Martinon Wed, 02/03/2010 - 12:54

Hey there, this is what I got from our KB, seems you need to have Secure Desktop to enable certificate validation follow this procedure:

To check if a machine has a certificate before the user is even prompted
for a login, you will need to use secure desktop manager.  Open up ASDM,
click on Remote Access VPN > Secure Desktop Manager > Setup and make
sure that you have secure desktop on the flash of your ASA and make sure
that the checkbox "Enable Secure Desktop" is checked.  After that has
been checked, a tab called Prelogin Policy should come up.  Click on
that and there should be a diagram that looks like the following:

Start ---->+Default

Click on the "+" sign next to the Default policy and change the check to
certificate and configure the certificate on what you want it to check

Let us know how it works.


This Discussion