AnyConnect client Cert Authentication on ASA : the Chicken or the egg

vincent.monnier · ‎02-06-2012

Hello,

I want to deploy AnyConnect SSL VPN client with an ASA appliance, using certificate authentication only.

I order to be able to request a certificate via SCEP on the AnyConnect client, I have to download a AnyConnect xml profile from the ASA. But this can be done only if the AnyConnect client is authenticate on the ASA ?! It's a question of chicken or egg ?

I have read all documentation regarding this subject on Cisco.com but I havn't found any answer. Have anybody a suggestion about this, I should have missed something for sure ?

Thanks in advance.

Vincent

Ps. : We can imagine to deployed manually the AnyConnect xml profile on the Windows machine, but what about other OS like Iphone/Ipad where we have no access on the system file....

vincent.monnier · ‎02-10-2012

Hi,

Any suggestion about this deployment question ?

Any remarks or comments are welkome.

Vincent

vincent.monnier · ‎03-23-2012

FYI

I've finally manage to deploy certificates on the anyconnect client (Win/Mac OS-X, Iphone/Ipad) by using PKCS#12 file.

paul-wootton · ‎03-23-2012

How did you accomplish this? I am trying to do the same thing with an ASA and Microsoft CA server.

Thanks

vincent.monnier · ‎03-23-2012

Hi Paul,

I generate a PCKS#12 file that enclosed the client certificate + the associated private key + the CA certchain.

I deployed it on client host machine by juste sending it by e-mail/ USB key/ Web plushing.

Depending of your client OS version, the client certificate should be present in, the "login" store of keychain repository on a MAC OS-X client and in the "personal" store of the certificate repository on a Windows client.

And that it.

Vincent