cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
844
Views
0
Helpful
6
Replies

Authentication with certificates

I have implemented the authentication of Anyconnect clients using digital certificates. The connection is established if I start from the browser, is not established id I start from the anyconnect client. With username and password authentication, as it was before, I could use both methods to connect.

Any suggestion ? I am using the latest version of the software.

Regards

P.S. Cisco moderator, can you tell me if this is a bug ?

6 Replies 6

ksirupa
Level 3
Level 3

It appears your certificate is in User/personal store. May be the AnyConnect is only searching for machine certificates. Double check the AnyConnect profile to scan both Machine and User certificates. If you can insert sections of the profile XML file, that would help too. Specifically, the attributes with "Certificate Store"..

Hi,

Thanks for your reply.

Of course the certificate is in the personal store.

The standard configuration in the XML file has All, that means search all the stores. I have also tried User, that means search the personal store, but seems to have no effect. The Anyconnect Client says that will use the certificates but does not connect.

Giovanni

Then it appears like a bug with AnyConnect. What did the TAC say?

I do not have, currently, a maintenance contract., so I cannot contact the TAC. Hopefully the moderator will do something ...

- Do you have any certificate matching rules setup in the AnyConnect profile?  If so, do they match the information in the client certificates?

- Do you have Certificate to SSL VPN Connection Profile Maps configured?  If so, are they properly setup to match the information in the client certificates?

- Does the ASA trust the CA the client certificates were issued by?

- Does the client certificate have the Digital Signature key usage bit set?  If not, you will have to enable the deprecated feature ignore-ssl-keyusage on the CA trustpoint for SSL vpn to work.  Alternately, reissue client certificates with the Digitial Signature bit set.

Hi Jim,

please note that the certificate works when I start the connection from the browser, it does work not when I start from the Anyconnect client. I have only put the asa name in the xml file, no other change. The ASA trusts the client certificate, I don't know how to check the Digital signature bit but I guess it is ok since I am using a cerificate issued by a public CA.

Moreover if I use Anyconnect v. 2.3.0254 it works. So my conclusion is that this is a bug of v 2.4.1012.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: