This last week I've been setting up an ASA5515x for the sole purpose of being our VPN concentrator. We're doing 2 factor auth with certificates and AD credentials.
For employees, we are issuing company owned laptops with device certificates installed.
For third party vendors, we are issuing user certificates
The big issue I am running into is the first login for employees. If they try to connect via Anyconnect, it returns a certificate error and after clicking okay they are prompted to select a VPN Alias. After selcting that and clicking okay, the process repeats with the cerificate error. If I change the VPN profile to strictly use AAA, they get prompted for their AD credentials and get logged in just fine. After this, I can change the VPN profile back to using both Certificates and AAA and the client can connect perfectly fine.
So, it appears that until Anyconnect downloads a profile that instructs it to dip into the Machine Certificate store, Anyconnect won't look there. I had the exact same issue when setting up the Vendors. For the Vendors it was solved by using IE to go to the web portal and logging in there. Once logged in the Anyconnect profile would download and it would work flawlessly after that.
Unfortunately the above isn't working for employees with device certificates. When trying to log into that VPN group via IE, I get a similar certificate error. I suspect it's because IE isn't dipping into the Machine certificate store to present the device certificate to the web portal.
So here I am stuck with a chicken or the egg scenario, Anyconnect needs the profile before it can connect, but it has to connect to get the profile. I suppose we could email the XML file with instructions on where to drop it, but asking our users to navigate into hidden folders on Windows would be tough.
Perhaps I am overlooking the obvious, but it seems like a poor design of Anyconnect that when it has NO PROFILE saved it won't at least try all the methods (Machine cert, user cert, etc) to get connected the first time.
Anyone have any ideas to work around this?
(from my not-so-recent experience with VPN part of AC)
For employees, you can create a mockup of a situation that your 3rd parties have.
I.e. a separate profile for first launch (provisioning?) which will start automatically anyconnect upon entering AD credentials and download profile.
All subsequent logins should work fine provided AC profile was downloaded and properly done.