Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new blog
279758
Views
80
Helpful
41
Comments

AnyConnect Certificate Based Authentication.

Marvin Ruiz
Level 1
Level 1
‎08-27-2012 05:20 PM

The information in this document is based on these software and hardware versions:

 

    ASA 5510 that runs software version 8.2(2) and ASDM version 6.4(9)

 

    Anyconnect client  software version 3.0 (It will work the same for versions prior to 8.3)

 

 

    Microsoft Windows 2003 server as the CA server for the scenario.

 

 

Since the ASA version in use is 8.2.x we can enable per tunnel-group certificate authentication.

 

(Feature in the ASA 8.2.x release, using pre-8.2.x ASA code it will require to globally enabling the certificate authentication with the command

  "ssl certificate-authentication interface <interface> port <portnum>").

 

 

 

In order to acomplish the AnyConnect authentication using certificates the AnyConnect client should get a valid certificate from the CA server, at the

same time the ASA should have the CA Root certificate in order to properly validate the certificate of the connecting client.

 

 

 

1.bmp

 

 

 

1-) Make sure you have an AnyConnect image applied in the ASA firewall:

 

Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Client Software

 

 

Click the Add button, and browse the flash for the proper image (optionally you can upload the client from the local PC).

 

 

2.bmp

 

 

2-) Enable anyconnect in the outside interface:

 

Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles

 

Check the box "Enable Cisco AnyConnect VPN Client or legacy SSL Client"

 

Then select the interface where the AnyConnect clients will be connecting to (in this example the outside interface).

 

 

3.bmp

 

 

 

The " Allow user to select connection profile" check option will allow the AnyConnect user to select the group they will be connecting to.

 

 

 

3-) Create a new AnyConnect connection profile:

 

Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles

 

 

Click the Add button, the "AnyConnect connection profile" window will open.

 

Give the connection profile a name and optionally a group alias.

 

 

Click the "Select" button next to the "Client Address Pools" option.

 

The " Select Address Pools" window will appear.

 

Click the "Add" button in order to create a new pool of addresses.

 

 

 

4.bmp

 

 

 

4-) Create a Group-policy:

 

Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles

 

Click the "Manage" button  next to the "Group Policy" option in the connection profile.

 

Click the "Add" button in order to create the new policy.

 

 

Give the policy a name (In this example "AnyConnect-Policy") and check the "Clientless SSL VPN" and "SSL VPN Client" boxes, then click the "ok" button.

 

 

5.bmp

 

 

 

The AnyConnect group have been created at this point.

 

 

 

 

5-) Install the CA certificate in the ASA:

 

 

The CA certificate must be downloaded from the CA server and installed in the ASA.

 

Complete these steps in order to download the CA certificate from the CA server.

 

Perform the web login into the CA server CA-server with the help of the credentials supplied to the VPN server.

 

6.bmp

 

 

 

Click Download a CA certificate, certificate chain or CRL in order to open the window,

as shown. Click the Base 64 radio button as the encoding method, and click Download CA certificate.

 

 

7.bmp

 

 

Save the CA certificate with the certnew.cer name on your computer.

 

 

8.bmp

 

 

 

Go to Configuration > Remote Access VPN > Certificate Management > CA Certificates in the ASA firewall.

 

Click on the "Add" button, the "Install Certificate" window will open.

 

Click the "Browse" button next to the "Install from a file" option.

 

Browse to the location where you saved the CA certificate, highlight the CA certificate and click on the "Install" button.

 

 

9.bmp

 

 

At this point the CA certificate will be installed in the ASA fiwall and it willl be able to validate the connecting users, which user's certificate was created from the same CA server.

 

 

 

 

6-) Go back to the AnyConnect connection profiles and change the profile to use certificate authentication:

 

 

Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles

 

Highlight the "AnyConnect-group" profile and click the "Edit" button.

 

 

The "Edit AnyConnect Connection Profile" will open, then you will be able to select the authentication method to be "Certificate"

 

 

10.bmp

 

 

 

Click the "OK" button and then click "Apply"

 

(Remember to save the configuration performed)

 

 

11.bmp

 

 

 

 

7-) The next step would be to install the certificate in the AnyConnect client PC:

 

 

The user will need to log in into the CA server with his credentials.

 

 

12.bmp

 

 

 

Once in the CA server, the user will need to click in the "Request a certificate" option.

 

13.bmp

 

 

The user will want to select the "User Certificate" option.

 

 

14.bmp

 

 

 

 

At this point the CA sever will provide the user certificate to be installed.

 

 

 

15.bmp

 

 

Once the certificate is installed the user will be able to connect the AnyConnect client authenticating with the previously installed certificate

(No username and password required)

 

 

16.bmp

 

 

Below you will find how the configuration should look like in the CLI interface:

 

 

 

 

ip local pool AnyConnect 10.10.10.1-10.10.10.254 mask 255.255.255.0

 

      group-policy AnyConect-policy internal

      group-policy AnyConect-policy attributes

        vpn-tunnel-protocol svc webvpn

 

 

      tunnel-group AnyConnect-group type remote-access

      tunnel-group AnyConnect-group general-attributes

        address-pool AnyConnect

        default-group-policy AnyConect-policy

      tunnel-group AnyConnect-group webvpn-attributes

        authentication certificate

        group-alias AnyConnect enable

 

 

 

         webvpn

          enable outside

          svc image disk0:/anyconnect-dart-win-2.5.6005-k9.pkg 1

          svc enable

          tunnel-group-list enable

 

 

 

 

crypto ca trustpoint ASDM_TrustPoint0

        revocation-check none

        no id-usage

        enrollment terminal

 

      crypto ca authenticate ASDM_TrustPoint0

 

        MIIEtDCCA5ygAwIBAgIQcNSMRXs696JMHFgTc+OKPjANBgkqhkiG9w0BAQUFADBV

        MRMwEQYKCZImiZPyLGQBGRYDY29tMRUwEwYKCZImiZPyLGQBGRYFY3J0YWMxFjAU

        BgoJkiaJk/IsZAEZFgZ2cG5sYWIxDzANBgNVBAMTBnZwbmxhYjAeFw0xMjA2MDUy

        MDAyNThaFw0xNzA2MDUyMDExNTdaMFUxEzARBgoJkiaJk/IsZAEZFgNjb20xFTAT

        BgoJkiaJk/IsZAEZFgVjcnRhYzEWMBQGCgmSJomT8ixkARkWBnZwbmxhYjEPMA0G

        A1UEAxMGdnBubGFiMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2Wo7

        iCHElRUbgGAJgsf52AxlQLmeyMTSgS2I6/hTCOmra5BkP4cUieSeWqnOAPYgGTj/

        it3qGVLBjkjf2sHBUBHfIUm8nnQF2UNjTbJZVIfCAyrHoRXNDFNV6qlKFoMmi7VG

        2CudXsbuC86LsFDTMkk2Y2UB/T1xUpf5TBX+uQDb7w4jIZs1DkpQBmE946lH8vyA

        GHU6RdainLr/44Sa0iPjzngMdssq0QlE/8gYWr6HsAOvmKhf8RcokjqXEQ36JyAF

        +N/6sqoDTYl6jXg72PuoLO/zcmu8qbY+aRQGu5tlKXVemb9FyEKOuLe/Q4PirCz1

        TUHw8urOHcHCquo5PwIDAQABo4IBfjCCAXowEwYJKwYBBAGCNxQCBAYeBABDAEEw

        CwYDVR0PBAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFNI2q3uAQNAg

        nR+BfjqEcGUZaHoNMIIBEgYDVR0fBIIBCTCCAQUwggEBoIH+oIH7hoG7bGRhcDov

        Ly9DTj12cG5sYWIsQ049dnBuLXNlcnZlci0wMSxDTj1DRFAsQ049UHVibGljJTIw

        S2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz12

        cG5sYWIsREM9Y3J0YWMsREM9Y29tP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/

        YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludIY7aHR0cDovL3Zw

        bi1zZXJ2ZXItMDEudnBubGFiLmNydGFjLmNvbS9DZXJ0RW5yb2xsL3ZwbmxhYi5j

        cmwwEAYJKwYBBAGCNxUBBAMCAQAwDQYJKoZIhvcNAQEFBQADggEBAEHyvayVbKqT

        0rwZNFBC3GAnUCDCK3kJxyjvir+T2pcCVS5KLukhTcDtr5VBOrSGsFA+zJvqB7qS

        dwAvh9tKjpdb6rQKM5bo7NKii7mU71WxK8/wSupLMlNEZemvZcnaLKB2P5TGwJ0K

        9LTp/rT89pvO9QbEMnRMPi0dPHQbu90sDLLBksxUfXII8qNyjjqNnVq2GDHX56Gz

        DzltLTLnrL4Gb/1M9ulwO2bzNV9J7uVg6iELJDbzkHFaCNXTvQJyDsN41xETg54Y

        uv6hViCXnu0SaaWi2rjVqx8pUXD7O3jrH9jnBC71cUqzv+MBvJI3th9iMMA80Gno

        Rl0Ipuf7dYk=

        quit

 

 

I hope this information can be helpful for you..

Labels:
41 Comments
y.lo
Level 1
Level 1
‎12-16-2015 10:10 PM
‎12-16-2015 10:10 PM

Why does the ASA not require an identity certificate?

0 Helpful
brianyoung1
Level 1
Level 1
‎01-14-2016 01:38 PM
‎01-14-2016 01:38 PM

This is a good write up but I have a question.  From a security point of view, what methods are there to prevent a user from exporting the client certificate and importing it on multiple devices?

Without 2fa (i.e username and password) the client certificate just comes up as unknown for the user and if it is a device that has not been revoked just loading the certificate device to device will allow rooted or other potential devices to get in or even ex employees.  Outside the cert expiration date if you do not have a 2fa a generic device (like a shared Ipad) could be an easy conduit to a savvy person for backdoor access.  Its nice convenience but seems to me it has its flaws without a 2fa on top of it. 

So from a best practices standpoint would you ever implement just cert authentication for public vpn without a 2fa on top, as certificates can be forgotten or not revoked where typically a user account is termed when someone is let go. 

0 Helpful
sciarrino
Level 1
Level 1
‎08-08-2016 01:09 PM
‎08-08-2016 01:09 PM

Exactly Can you have the FW do Certificate authentication and 2fa?  We want to use the Certificate authentication to limit what computers people connect with can it be used for that?

Marvin are you still with us?

Thanks....

0 Helpful
szeledon
Level 1
Level 1
‎10-25-2016 10:36 AM
‎10-25-2016 10:36 AM

Hello y.lo

For certificate authentication the ASA only needs to know the issuer of the client certificate as one of his Trustpoints. For SSL connection the client will check the identity certificate of the ASA installed on the outside interface but that could be issued from a different CA like the ones you request from public entities DigiCert, Symantec, etc.

Cheers

0 Helpful
tellis002
Spotlight
Spotlight
‎04-01-2017 08:15 PM
‎04-01-2017 08:15 PM

You could, when installing the certificate, mark it as not exportable, but that can be bypassed with some fancy tools.  But you could, use DAP on the ASA to pull certain attributes from the end point for another 'check'.  Like maybe a certain OS type, a special file residing on the device, etc.  

The end user would not be able to tell what you are checking for.

0 Helpful
swatijim16
Level 1
Level 1
‎07-26-2017 03:21 AM
‎07-26-2017 03:21 AM

Hi,

Is it required to generate certificate in SSL VPN anyconnect configuration.

0 Helpful
bern81
Level 1
Level 1
‎05-14-2018 12:06 AM
‎05-14-2018 12:06 AM

Hello Marvin,

 

Great Post !

Would you please advise how you configure the anyconnect client to make it select the correct conn-Profile transparently from the end-user.

Since let's say there are many connection-profiles configured on the ASA.

In your last snapshot i see you are only connecting to the asa.cisco.com without specifying a url or alias.

 

Thank you in advance.

Bernard

 

0 Helpful
Steven Williams
Level 4
Level 4
‎05-08-2019 11:57 AM
‎05-08-2019 11:57 AM

When you are migrating certs for SSL-clients and need clients to be able to connect with old cert and new certs to the same ASA on the same interface, is this something that is supported and if so how do you allow both certs to work on the same interface? I know how to do it for Site to Site VPN but not SSL client VPN. 

0 Helpful
bern81
Level 1
Level 1
‎05-08-2019 11:42 PM
‎05-08-2019 11:42 PM

Hi Steven,

 

you could make something called certificate to connenction profile mapping, it is like if /then condition.

for example you could say if the user certificate issuer CN= company.CA  then assign connection profile X to this user connecting.

If you have many machine certs on ur connecting PC you could do the certificate mapping in the client XML Profile.

I hope this was your question.

Please rate if helpful

 

0 Helpful
Steven Williams
Level 4
Level 4
‎05-13-2019 05:32 AM
‎05-13-2019 05:32 AM

The devices that I have connecting are not users, but yet printers, so they will not have the option to choose a connection profile in the drop down on anyconnect. So is this still possible with that scenario? If so do you have  some documentation you can provide a link for?

 

0 Helpful
TomArner
Level 1
Level 1
‎04-14-2023 02:11 PM
‎04-14-2023 02:11 PM

It's 2023 this post is very dated. ASA AC  VPN group profiles using the microsoft Windows the supplicant, EAP and Machine Certificate Authentication and any type of AAA is very common. I would think it would be easier to find some documentation and links as this should be readily available...

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Popular Articles
Customers Also Viewed These Support Documents