Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5161
Views
0
Helpful
1
Replies

AnyConnect - Machine certificate authentication + LDAP AAA

baloomba1
Level 1
Level 1

‎02-03-2010 12:20 PM - edited ‎02-21-2020 04:29 PM

Hi all,

I would like to use SSL VPN (Anyconnect) with the following authentication setup on my ASA's 5510 in failover:

- AAA LDAP to authenticate my users on AD

- machine certificate authentication to verify if a corporate asset connects to the VPN

Without the machine certificate authentication, the setup works very well. All users can authenticate and the VPN connection is established.

As soon as I add the requirement for the machine certificate authentication, it doesn't work any longer.

I've tried this:

- uploaded my root CA certificate to the ASA

- in the properties of my connection profile, I've set the "authentication method" to both

- added the command "ssl certificate-authentication"

When I now try to connect with Anyconnect, I'm unable to select my connection profile. The "Group" field in the Anyconnect client is just blank.

After entering the username and password nothing happens.

After changing the authentication method on the ASA to "AAA", the connection profile shows correctly on the Anyconnect client and I'm able to login.

Any ideas? What are the necessary steps to configure machine certificate authentication + LDAP for Anyconnect SSL VPN?

Many thanks!

Labels:
0 Helpful
1 Reply 1

Ivan Martinon
Level 7
Level 7

‎02-03-2010 12:54 PM

Hey there, this is what I got from our KB, seems you need to have Secure Desktop to enable certificate validation follow this procedure:

To check if a machine has a certificate before the user is even prompted
for a login, you will need to use secure desktop manager.  Open up ASDM,
click on Remote Access VPN > Secure Desktop Manager > Setup and make
sure that you have secure desktop on the flash of your ASA and make sure
that the checkbox "Enable Secure Desktop" is checked.  After that has
been checked, a tab called Prelogin Policy should come up.  Click on
that and there should be a diagram that looks like the following:
 
Start ---->+Default

Click on the "+" sign next to the Default policy and change the check to
certificate and configure the certificate on what you want it to check
for.

Let us know how it works.

0 Helpful
Customers Also Viewed These Support Documents