cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
429
Views
0
Helpful
2
Replies

Anyconnect profile, chicken or the egg situation

dennylester
Level 1
Level 1

This last week I've been setting up an ASA5515x for the sole purpose of being our VPN concentrator. We're doing 2 factor auth with certificates and AD credentials.

For employees, we are issuing company owned laptops with device certificates installed.

For third party vendors, we are issuing user certificates

The big issue I am running into is the first login for employees. If they try to connect via Anyconnect, it returns a certificate error and after clicking okay they are prompted to select a VPN Alias. After selcting that and clicking okay, the process repeats with the cerificate error. If I change the VPN profile to strictly use AAA, they get prompted for their AD credentials and get logged in just fine. After this, I can change the VPN profile back to using both Certificates and AAA and the client can connect perfectly fine.

So, it appears that until Anyconnect downloads a profile that instructs it to dip into the Machine Certificate store, Anyconnect won't look there. I had the exact same issue when setting up the Vendors. For the Vendors it was solved by using IE to go to the web portal and logging in there. Once logged in the Anyconnect profile would download and it would work flawlessly after that.

Unfortunately the above isn't working for employees with device certificates. When trying to log into that VPN group via IE, I get a similar certificate error. I suspect it's because IE isn't dipping into the Machine certificate store to present the device certificate to the web portal.

So here I am stuck with a chicken or the egg scenario, Anyconnect needs the profile before it can connect, but it has to connect to get the profile. I suppose we could email the XML file with instructions on where to drop it, but asking our users to navigate into hidden folders on Windows would be tough.

Perhaps I am overlooking the obvious, but it seems like a poor design of Anyconnect that when it has NO PROFILE saved it won't at least try all the methods (Machine cert, user cert, etc) to get connected the first time.

Anyone have any ideas to work around this?

TIA,

Denny

1 Accepted Solution

Accepted Solutions

Marcin Latosiewicz
Cisco Employee
Cisco Employee

Danny,

(from my not-so-recent experience with VPN part of AC)

For employees, you can create a mockup of a situation that your 3rd parties have.

I.e. a separate profile for first launch (provisioning?) which will start automatically anyconnect upon entering AD credentials and download profile.

All subsequent logins should work fine provided AC profile was downloaded and properly done.

M.

View solution in original post

2 Replies 2

Marcin Latosiewicz
Cisco Employee
Cisco Employee

Danny,

(from my not-so-recent experience with VPN part of AC)

For employees, you can create a mockup of a situation that your 3rd parties have.

I.e. a separate profile for first launch (provisioning?) which will start automatically anyconnect upon entering AD credentials and download profile.

All subsequent logins should work fine provided AC profile was downloaded and properly done.

M.

dennylester
Level 1
Level 1

Hi Marcin,

This worked perfectly, after locating the screen in the Group configuration where I could specify the profile to be pushed. I then configured this group to log the user out after 1 minute and as you stated, the next time they connect they're correctly mapped to the correct Profile.

Thank you so much, you saved the rest of my weekend.

Denny

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: