Cert based auth with AnyConnect

Answered Question
Jun 22nd, 2010

Hi,

We recently purchased a certificate for our ASA to use on the outside interface, when connecting in order to get AnyConnect installed or simply use webvpn. I added it as an identity cert and the CA cert as well, and then made it the default cert for the outside interface. This all worked just fine.

Now, we want to use cert-based authentication for our AnyConnect (along with RADIUS which is already working). We have an internal Microsoft cert server, that we would like to use for this purpose. Question is... how can we use the public purchased cert on the outside interface for webvpn and AnyConnect installation and at the same time use the "internal" cert for authentication of VPN client? Is it even possible?

I've already created an internal cert and installed it on the asa along with the CA cert of our internal server. We are running version 8.2(2).

I hope someone, with a little more knowledge about this than me, can assist

Thanks in advance,

Rasmus

I have this problem too.
0 votes
Correct Answer by Marcin Latosiewicz about 6 years 5 months ago

Rasmus,

Debugging for failed attempt please, however you normally try to do this.

Can you try with and without ssl certificate-auth ... ?

Marcin

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
rate Wed, 06/23/2010 - 01:32

I just tried the above mentioned setting, and it works when using the AnyConnect client.

But when visiting the https address of the ASA, to get the AnyConnect installed, I get a certificate auth error when logging on. It stille uses the public purchased cert here which is what I want it to, but the auth seems to try and use the authentication cert set up. This would be ok, but the problem is when opening the web site (asa) IE prompts me to select a certificate for authentication, but my computer cert (which I choose with the anyconnect client) isn't available?

Any help much appreciated!

/Rasmus

Marcin Latosiewicz Fri, 06/25/2010 - 01:24

Rasmus,

I faced something similar before. Fault was on MS CA side at that time.Let's see now.

Can you please check from multiple browseres IE and firefox at minimum.

First of all do you see the correct cert in browsers' stores?

Marcin

rate Fri, 06/25/2010 - 01:52

Hello Marcin - thanks for your reply.

I checked Firefox and IE7 and IE8 - all the same

If I open the cert store from IE I can only see user certificate store. Since the used cert is a computer cert, it doesn't show up.

/Rasmus

Marcin Latosiewicz Fri, 06/25/2010 - 01:59

Rasmus,

By any chance is this same deployment we used in previous thread, SBL + proxy + I guess cert auth?

Can you also install this cert into user store and test? I'm not a windows guy so I don't know if you can make IE read other cert stores.

Marcin

rate Fri, 06/25/2010 - 02:26

Hi Marcin,

Exactly the same

I already tried that. I was able to select the certificate then, but the authentication would stille fail for some reason. If I clicked cancel and the cert selection pop-up it worked. But only with the computer cert added to the user cert store. If it wasn't there, I could not authenticate whether I clicked OK or Cancel.

/Rasmus

Marcin Latosiewicz Fri, 06/25/2010 - 04:40

Rasmus,

Long storry short ... which cert do you have in "ssl ..."

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s8.html#wp1514061

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s8.html#wp1511555


If I remember you were already running 8.2.2

A note from the case I mentioned: MS CA has certificate templates and it seems to be messing up with some part of PKI on ASA, you can probably get this working with IOS CA without problems

Can you get deb cry ca mess deb cry ca trans (100 level) during connection attempt?

Marcin

rate Mon, 06/28/2010 - 01:31

Hi Marcin,

In the "SSL TrustPoint..." command I've got the external bought certificate.

The "SSL certificate-auth..." command is not present in my config. I've got this though:

crypto ca certificate map NAME 10

webvpn

  certificate-group-map NAME 10 PROFILE

About the debug command. Do you want this output when connecting with the AnyConnect client, or when accessing the webpage where the error occours? Also, should I click cancel in the cert selection box (if you want the browser-login debug) og click "ok" without a cert selected?

Thanks,

Rasmus

Correct Answer
Marcin Latosiewicz Mon, 06/28/2010 - 02:50

Rasmus,

Debugging for failed attempt please, however you normally try to do this.

Can you try with and without ssl certificate-auth ... ?

Marcin

rate Mon, 06/28/2010 - 08:01

Hi Marcin,

First of all thanks for all your assistance!

The more I've looked into this, the more it appears to me that it is an internet browser related problem. IE simply doesn't look in the computer certificates store in Windows - only the user store.

I've created a seperate thread in a Windows-forum, and hopefully I will get some answers there. Meanwhile, if anyone else run into this problem, please reply to this thread.

I will give you full ratings though Marcin, because of your assistance. I will also create another thread in here regarding CRL. This is an ASA issue - not an Internet Explorer thing, so I hope you will take a look at the thread at some point I simply can't get it working

Thanks again,

Rasmus

Actions

This Discussion

Related Content