cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
81306
Views
5
Helpful
22
Replies

Authenticating AnyConnect VPN client using certificates

Shaun Michelson
Level 1
Level 1

Guys, I'm trying to configure my ASA5505 to authenticate  AnyConnect VPN clients by using certificates. I have 'Certificates' set as my authentication method in my AnyConnect Connection Profile (see attached screenshot), but I keep getting "Certificate Validation Failure" whenever I try to connect. The certificate I want to use is a Computer certificate issued from my Enterprise Root CA (Windows Server 2008 running Active Directory Certificate Services). Certificate screen shot is attached. I've added the Root certificate on the ASA, and I've tried all manner of combinations using Certificate Matching in the AnyConnect Client Profile. Every attempt has failed, and I'm having no luck finding documentation on how to procede. Any help would be greatly appreciated!

1 Accepted Solution

Accepted Solutions

Hello Shaun,

The problem you are describing, not able to authenticate via certificate through Microsoft Internet Explorer, is because of the fact that the certificate is in the Machine store.  You would want to confirm with Microsoft but, it is my understanding that Microsoft Internet Explorer only users the User Store, as such the certificate is not available to be presented to the ASA through the web-browser.

-Craig

View solution in original post

22 Replies 22

slawford
Cisco Employee
Cisco Employee

Hi Shaun,

What broswer are you using to connect with, and are you being prompted to select the certificate you want to use?

Regards,

Steve.

Hey Steve, using IE8 and I'm not being prompted to choose a certificate.

Thanks Shaun,

Have you tried connecting with Firefox? If so, do you see the same behaviour?

Please also note that IE8 is only supported from ASA version 8.3.1 and above (http://www.cisco.com/en/US/docs/security/asa/compatibility/asa-vpn-compatibility.html#wp160950).

Regards,

Steve.

Thanks for the info on IE8 support. We're using ASA version 8.2.2, so that could be an issue. Tried connecting with Firefox v3.6.10, and am not being prompted to choose a certificate.

COuld you add the show run?

Added the (scrubbed) running config in the attachments.

Hi,

I Have exact the same issus testing anyconnect 2.5 with ASA 8.2.2.

I have machine certificate issued by our internal CA MS2003, the ASA WAN interface there is a SSL certificate issued by Verisign CA.

each time wanted to connect from a XP client with even firefox or IE 7.0 there is a error message. authentication failure..

You mentionne on the top that you enable root certificate on the ASA? could you please let know about this?

I dont find Cisco doc to enable anyconnect client authentication by certificate..

Thanks for your help

Bel,

To install my Enterprise Root CA certificate, I first browse to http://servername/certserv within my network (where servername is the name of your Enterprise Root CA) and click on "Download a CA certificate, certificate chain, or CRL". (You need to have installed the Certification Authority Web Enrollment service on your Enterprise Root CA server before this works). Once I've downloaded the CA certificate, on the ASA I go to Configuration --> Remote Access VPN --> Certificate Management --> CA Certificates, then click on "Add" and browse to my Desktop where I've saved the certificate. Hope this helps.

Hello,

Thanks for your answer, I downloaded our CA certificate on DER format:

Encoding method:

This Format--DER

                   Base 64

                Install CA certificate

This one----Download CA certificate

                Download CA certificate chain

                Download latest base CRL

                Download latest delta CRL

And installed to my ASA.

And now how can I direct my user profiles to validate this certificate??

Thanks

Ha...that's what I'm trying to figure out through this forum.

Okais, now we have to wait to have

help

Craig Lorentzen
Cisco Employee
Cisco Employee

Hello Shaun,

Since you are trying to use a Machine Certificate, Local Computer store instead of User store, you need to have configured your AnyConnect Profile to have the CertificateStoreOverride and ensure that the CertificateStore is All or Machine.  By Default it is set to All, however, most users do not have the rights fort the Machine store and thus cannot get the certificate...Also, your web-browser would not have access to a Machine Cert either.

During a connection attempt you would want to monitor the

  debug crypto ca 255

To ensure that the ASA is in fact receiving a certificate for authentication.  Use terminal monitor to see the debugs in your SSH Session.

You can also check the AnyConect Event Logs from the Windows Event Log viewer and look for a vpnui entry where the function is getNextClientCert to see if the client found your certificate.

You could also try installing the certificate in the User Store and see if that makes a difference.

I hope that this helps,
Craig

Hello Graig,

I have configured the anyconnect profile to use client certif.:

true
        true
        false
        User
        true

now using web interface i have popup to choice my certificate (using ie7) choosing the certif. I am able to established VPN connection by anyconnect client, but when running the client it tell me that "your client certificate will be used for authentication" but clicking to connect button there is error message "Certificate validation failure) ??? ???

Thanks

Belmar

Sorry I forgot to mention that during the attempt from anyconnect GUI there is nothing on the ASA with the debug crypto ca 255

and on the windows event log there is not entry for fonction getNextClientCert.??

Thanks

Belmar

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: