Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1423
Views
0
Helpful
3
Replies

Cert and AD Authentication using AnyConnect 3.0.xxxx

Chris McDaniel
Level 1
Level 1

‎05-30-2012 07:42 AM - edited ‎02-21-2020 06:06 PM

Group -

I apologize in advance if this topic has already been discussed.

I have a need to utilize two factor authentication using a machine certificate and users AD crednetials.  What we would like to do is to have the ASA and AnyConnect verify the certificate exists, check against our in house CA for validity, if valid pass the user credentials to the AD servers and establish the tunnel. If not valid quarantine the session and pop a message to the user to contact the help desk ASAP. 

My guess is the following (using ASDM 6.6, ASA 8.6.1, ASA 5545-X):

1. under the connection profile I have select BOTH for authentication and added a AAA server group.

2. under Cert Management I have added the 3 certs that are present on all company mobile assets

     - Cert America

     - Cert Europe

     - Cert Root

3. I have an identity cert installed from the company CA and it is selected as the device cert under connection profiles

4.Local Cert Authority is Disabled

5.Under Remote Access>Advanced>Certs for AnyConnect>

     - I have mapped DefaultCertifiateMap pri 10 to Company_Cert connection profile

     - The mapping is looking for Subject: CN: <Contains> (string) ----where string is a common component of each Cert listed in #2.

Question #1 - Is this correct for utilizing certs and AD auth or have a missed any steps?

Users are directed to a an initial installation URL https://company.us.com/url - where the AnyConnect client performs the installation and passes down the intial AC profile which auths using only AD creds.  On subsequent connections users who pass the certificate mapping check are migrated to the connection profile which uses the dual authentication method. 

Question #2 - When I attempt a new installation of AnyConnect using the two factor URL (https://company.us.com/certurl) I recieve an error "certificate validation error" and the installation fails - for the life of me I can not figure out why????  The machine has all three certs, using IE9 as the browser.

Any assistance would be greatly appreciated.  I have read through ASA 8.4.x config guides and ASDM 6.x config guides, but have now gone RTFM blind.

Thanks in advance!

Labels:
0 Helpful
3 Replies 3

Mohammad Alhyari
Cisco Employee
Cisco Employee

‎06-02-2012 12:16 PM

Good Evening ,

what happned if you connect to the Two factor authentication using standalone version . you need to be aware that connecting with clientless SSL will not have the access to the machine store of the PC . while the anyconnect can do it.

if you are still the getting certificate validation failure with the standalone connection , then we need to check the following :

is the client failing to send the certifiacte ?

is the ASA failing to verify the certificate ?

please collect the DART Tool output and post it here :

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/ac12managemonitortbs.html#wp1070440

Cheers.

Mohammad.

0 Helpful

Chris McDaniel
Level 1
Level 1
In response to Mohammad Alhyari

‎06-04-2012 09:26 AM

Hi Mohammad

Using the client and two factor - it works wonderfully.  What I am trying to accomplish is CERT based installation on a new client.

I want the user to access the URL https://company.us.com/certurl and then have the ASA verify the machine cert, then install the client. 

0 Helpful

Chris McDaniel
Level 1
Level 1
In response to Chris McDaniel

‎06-12-2012 08:46 AM

Issue resolved by TAC

0 Helpful
Customers Also Viewed These Support Documents