Authentication with certificates

Unanswered Question
Mar 22nd, 2010

I have implemented the authentication of Anyconnect clients using digital certificates. The connection is established if I start from the browser, is not established id I start from the anyconnect client. With username and password authentication, as it was before, I could use both methods to connect.

Any suggestion ? I am using the latest version of the software.


Regards


P.S. Cisco moderator, can you tell me if this is a bug ?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ksirupa Mon, 03/22/2010 - 08:35

It appears your certificate is in User/personal store. May be the AnyConnect is only searching for machine certificates. Double check the AnyConnect profile to scan both Machine and User certificates. If you can insert sections of the profile XML file, that would help too. Specifically, the attributes with "Certificate Store"..

giovanni paterno Tue, 03/23/2010 - 03:18

Hi,


Thanks for your reply.


Of course the certificate is in the personal store.


The standard configuration in the XML file has All, that means search all the stores. I have also tried User, that means search the personal store, but seems to have no effect. The Anyconnect Client says that will use the certificates but does not connect.


Giovanni

ksirupa Tue, 03/23/2010 - 14:02

Then it appears like a bug with AnyConnect. What did the TAC say?

giovanni paterno Fri, 03/26/2010 - 01:58

I do not have, currently, a maintenance contract., so I cannot contact the TAC. Hopefully the moderator will do something ...

jimsiff Sun, 03/28/2010 - 00:50

- Do you have any certificate matching rules setup in the AnyConnect profile?  If so, do they match the information in the client certificates?

- Do you have Certificate to SSL VPN Connection Profile Maps configured?  If so, are they properly setup to match the information in the client certificates?

- Does the ASA trust the CA the client certificates were issued by?

- Does the client certificate have the Digital Signature key usage bit set?  If not, you will have to enable the deprecated feature ignore-ssl-keyusage on the CA trustpoint for SSL vpn to work.  Alternately, reissue client certificates with the Digitial Signature bit set.

giovanni paterno Mon, 03/29/2010 - 02:52

Hi Jim,


please note that the certificate works when I start the connection from the browser, it does work not when I start from the Anyconnect client. I have only put the asa name in the xml file, no other change. The ASA trusts the client certificate, I don't know how to check the Digital signature bit but I guess it is ok since I am using a cerificate issued by a public CA.


Moreover if I use Anyconnect v. 2.3.0254 it works. So my conclusion is that this is a bug of v 2.4.1012.

Actions

This Discussion