Authenticating AnyConnect VPN client using certificates

Answered Question
Sep 20th, 2010

Guys, I'm trying to configure my ASA5505 to authenticate  AnyConnect VPN clients by using certificates. I have 'Certificates' set as my authentication method in my AnyConnect Connection Profile (see attached screenshot), but I keep getting "Certificate Validation Failure" whenever I try to connect. The certificate I want to use is a Computer certificate issued from my Enterprise Root CA (Windows Server 2008 running Active Directory Certificate Services). Certificate screen shot is attached. I've added the Root certificate on the ASA, and I've tried all manner of combinations using Certificate Matching in the AnyConnect Client Profile. Every attempt has failed, and I'm having no luck finding documentation on how to procede. Any help would be greatly appreciated!

I have this problem too.
0 votes
Correct Answer by Craig Lorentzen about 4 years 7 months ago

Hello Shaun,

The problem you are describing, not able to authenticate via certificate through Microsoft Internet Explorer, is because of the fact that the certificate is in the Machine store.  You would want to confirm with Microsoft but, it is my understanding that Microsoft Internet Explorer only users the User Store, as such the certificate is not available to be presented to the ASA through the web-browser.

-Craig

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
slawford Thu, 09/23/2010 - 23:18

Hi Shaun,

What broswer are you using to connect with, and are you being prompted to select the certificate you want to use?

Regards,

Steve.

Shaun Michelson Fri, 09/24/2010 - 08:04

Hey Steve, using IE8 and I'm not being prompted to choose a certificate.

slawford Fri, 09/24/2010 - 18:46

Thanks Shaun,

Have you tried connecting with Firefox? If so, do you see the same behaviour?

Please also note that IE8 is only supported from ASA version 8.3.1 and above (http://www.cisco.com/en/US/docs/security/asa/compatibility/asa-vpn-compatibility.html#wp160950).

Regards,

Steve.

Shaun Michelson Mon, 09/27/2010 - 13:08

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;}

Thanks for the info on IE8 support. We're using ASA version 8.2.2, so that could be an issue. Tried connecting with Firefox v3.6.10, and am not being prompted to choose a certificate.

Diego Armando C... Mon, 09/27/2010 - 15:08

COuld you add the show run?

Shaun Michelson Tue, 09/28/2010 - 06:51

Added the (scrubbed) running config in the attachments.

Bel Marsad Fri, 10/01/2010 - 01:29

Hi,

I Have exact the same issus testing anyconnect 2.5 with ASA 8.2.2.

I have machine certificate issued by our internal CA MS2003, the ASA WAN interface there is a SSL certificate issued by Verisign CA.

each time wanted to connect from a XP client with even firefox or IE 7.0 there is a error message. authentication failure..

You mentionne on the top that you enable root certificate on the ASA? could you please let know about this?

I dont find Cisco doc to enable anyconnect client authentication by certificate..

Thanks for your help

Shaun Michelson Mon, 10/04/2010 - 06:52

Bel,

To install my Enterprise Root CA certificate, I first browse to http://servername/certserv within my network (where servername is the name of your Enterprise Root CA) and click on "Download a CA certificate, certificate chain, or CRL". (You need to have installed the Certification Authority Web Enrollment service on your Enterprise Root CA server before this works). Once I've downloaded the CA certificate, on the ASA I go to Configuration --> Remote Access VPN --> Certificate Management --> CA Certificates, then click on "Add" and browse to my Desktop where I've saved the certificate. Hope this helps.

Bel Marsad Mon, 10/04/2010 - 07:13

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin:0cm; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi; mso-fareast-language:EN-US;}

Hello,

Thanks for your answer, I downloaded our CA certificate on DER format:

Encoding method:

This Format--DER

                   Base 64

                Install CA certificate

This one----Download CA certificate

                Download CA certificate chain

                Download latest base CRL

                Download latest delta CRL

And installed to my ASA.

And now how can I direct my user profiles to validate this certificate??

Thanks

Shaun Michelson Mon, 10/04/2010 - 07:17

Ha...that's what I'm trying to figure out through this forum.

Bel Marsad Mon, 10/04/2010 - 07:22

Okais, now we have to wait to have

help

Craig Lorentzen Mon, 10/04/2010 - 13:37

Hello Shaun,

Since you are trying to use a Machine Certificate, Local Computer store instead of User store, you need to have configured your AnyConnect Profile to have the CertificateStoreOverride and ensure that the CertificateStore is All or Machine.  By Default it is set to All, however, most users do not have the rights fort the Machine store and thus cannot get the certificate...Also, your web-browser would not have access to a Machine Cert either.

During a connection attempt you would want to monitor the

  debug crypto ca 255

To ensure that the ASA is in fact receiving a certificate for authentication.  Use terminal monitor to see the debugs in your SSH Session.

You can also check the AnyConect Event Logs from the Windows Event Log viewer and look for a vpnui entry where the function is getNextClientCert to see if the client found your certificate.

You could also try installing the certificate in the User Store and see if that makes a difference.

I hope that this helps,
Craig

Bel Marsad Tue, 10/05/2010 - 02:14

Hello Graig,

I have configured the anyconnect profile to use client certif.:

true
        true
        false
        User
        true

now using web interface i have popup to choice my certificate (using ie7) choosing the certif. I am able to established VPN connection by anyconnect client, but when running the client it tell me that "your client certificate will be used for authentication" but clicking to connect button there is error message "Certificate validation failure) ??? ???

Thanks

Belmar

Bel Marsad Tue, 10/05/2010 - 02:22

Sorry I forgot to mention that during the attempt from anyconnect GUI there is nothing on the ASA with the debug crypto ca 255

and on the windows event log there is not entry for fonction getNextClientCert.??

Thanks

Belmar

Craig Lorentzen Tue, 10/05/2010 - 06:45

Hello Belmar,

I am not sure if you have the same setup as Shaun, but if the certificate is in the Machine store, then how are we going to find it when the Profile is set to use the User store?

        true
        false
        User <-- This should be Machine or All.
        true

If that doesn't help then I would highly recommend opening a TAC case so that we can review DART logs and delve into this issue.
Bel Marsad Tue, 10/05/2010 - 07:05

Hello,

We have both machine certif. and user certif.

So now I tunned a little the anyconnect profile and I am able to do the authentication with the user certificate, but web based broswer works only with IE7 doesnt work with FireFox 3

Thanks for your help

Belmar

Craig Lorentzen Tue, 10/05/2010 - 07:21

Firefox uses it's own certificate store, not Microsoft's.  If you want Firefox to be able to use Cert Authentication you would need to install a Personal Certificate in Firefox.

Shaun Michelson Tue, 10/05/2010 - 08:17

Okay, I was able to make some progress. It seems that my setup has been correct all along (I did have CertificateStoreOverride enabled and CertificateStore set to Machine). My problem appears to be that I had not yet downloaded the AnyConnect client to my test machine. In other words, I've been trying to test a first-time user scenario, from browsing to the SSL VPN Service website, to choosing my desired Group, to initiating the first-time download/install of the AnyConnect client, and finally connecting to the VPN. When I first browse to the website, I have the option of choosing my Group, and get a message that my client certificate will be used to log in (See attached file shot1.jpg). But when I click login, that's when I get the certificate validation failure.

So, I tried using a different group (one that only uses RADIUS authentication) just to see if I could generate some debug logs (because I wasn't seeing any using my cert-auth group). I installed the AnyConnect client and connected fine. When I went back to try testing my other (certificate-only-authentication) group using the AnyConnect client, it connected successfully.

So, my question now is, can authenticate to the ASA using just certificates before I've actually downloaded the AnyConnect client? It's really a moot point for me, since I can make sure company-issued laptops have everything they need beforehand (certificate and client installed). But for the benefit of others, would be nice to know if it could be done.

As a side-note, I still get the Certificate Validation Failure when trying to click Connect using the website, even after I've installed the AnyConnect client. But, if I skip the website and just try to connect using the AnyConnect client, it works fine. I'm thinking maybe this is a feature not available to me using an AnyConnect Essentials license...

Attachment: 
Correct Answer
Craig Lorentzen Tue, 10/05/2010 - 11:12

Hello Shaun,

The problem you are describing, not able to authenticate via certificate through Microsoft Internet Explorer, is because of the fact that the certificate is in the Machine store.  You would want to confirm with Microsoft but, it is my understanding that Microsoft Internet Explorer only users the User Store, as such the certificate is not available to be presented to the ASA through the web-browser.

-Craig

Bel Marsad Fri, 10/15/2010 - 06:18

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin:0cm; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi; mso-fareast-language:EN-US;}

Hello,

So here some comments about all tests I have made with XP and W7 machine.

On XP and IE6 and 7 profile=user certificate authentication:- from web browser user certificate work, I have popup to choice certificate and can see only my user certificate. GUI side works also fine with user certificate selection.

On XP and IE6 and 7 profile=machine certificate authentication:- from web browser user certificate selected (this is strange thing even on the profile I have machine certificate mentioned, look like that from web browser the anyconnect don’t look at profile file). GUI side works also with machine certificate.

On W7 with IE8 Profile=user certificate authentication:- from web browser works well without popup to choice certificate but from GUI doesn’t work ??? don’t understand the issue J

On W7 with IE8 Profile=machine certificate authentication:- from web browser work with user certificate (like above with XP and machine certificate mentioned on the profile file, but without the popup to select certificate, strange thing for me, but it works J) from GUI popup to select certificate and I see only my machine certificate, but every time I have to click twice on the connect button to get connect ??

So if you have some advice or comment please don’t heisted

Bel

dj1967 Sat, 10/23/2010 - 04:29

Hi,

I have an issue with this too.  I am using the Anyconnect client on Windows Vista:  Anyconnect 2.5.1025, ASA 8.0.4.32.  I have an AD infrastructure successfully issuing certificates to machines and users, Offline root, sub CA etc..  I have setup a trustpoint on the ASA using the root cert from the AD CA..  I am using certificates to authenticate the clients and when logged into to vista as a user, I can manually initiate a VPN session it is successfully bringing up the VPN, authenticating using the certificate and generally working perfectly.  The Vista clients get two certificates via AD, a User certificate and a Machine certificate. 

I logon to a Vista workstation, open up the VPN client and connect to the ASA using certificates, this is seamless and automatic; as soon as I open the client it connects without any user involvement.  The interesting thing to note here (see below)  is that if I delete the User certificate the client can no longer authenticate,even though there is a valid certificate in the Machine certificate store.  When I debug the connection with the line "debug webvpn svc 255" and interface capture, I can see that the client certificate isn't presented to the ASA.  When I re-establish the user certificate - it all works.

Start before logon - SBL - doesn't work at all with certificates like this.  I presume because there is no user certificate available when you try to initiate the connection.  When debugging SBL - the  debugs are identical to the ones I get when I try to connect after deleting the user certificate (as I describe above).  Is the problem because of permissions on the Machine certificate store as suggested in one of the Posts above?

To test this further I have also setup another ASA with a local CA server (self-signed), .  Again, when logged in as the user and manually initiating a connection - I get prompted to enter the one time pass-code,  save and store the certificate, and it works.  When I use SBL - I get the same prompts, store the certificate and it works every time after this. 

I presume that the difference is, when using the ASA as a local server, I get to save the certificate in a store that it can read/write from/to.  With AD issued certificates, because its SBL there is no User certificate available to authenticate.

The question is is there any way to get the client working with certificates issued by AD using SBL?  Should this work?  I suspect the answer may be to get the client using SCEP not AD??

The XML profile has the following settings

true

                true

                false

                Machine

                false

Regards

Dave

Actions

Login or Register to take actions

This Discussion

Posted September 20, 2010 at 9:33 AM
Updated September 28, 2010 at 6:49 AM
Stats:
Replies:21 Overall Rating:5
Views:27207 Votes:0
Shares:0
Categories: AnyConnect, ASA
+

Related Content