Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

AnyConnect - Machine certificate authentication + LDAP AAA

Hi all,

I would like to use SSL VPN (Anyconnect) with the following authentication setup on my ASA's 5510 in failover:

- AAA LDAP to authenticate my users on AD

- machine certificate authentication to verify if a corporate asset connects to the VPN

Without the machine certificate authentication, the setup works very well. All users can authenticate and the VPN connection is established.

As soon as I add the requirement for the machine certificate authentication, it doesn't work any longer.

I've tried this:

- uploaded my root CA certificate to the ASA

- in the properties of my connection profile, I've set the "authentication method" to both

- added the command "ssl certificate-authentication"

When I now try to connect with Anyconnect, I'm unable to select my connection profile. The "Group" field in the Anyconnect client is just blank.

After entering the username and password nothing happens.

After changing the authentication method on the ASA to "AAA", the connection profile shows correctly on the Anyconnect client and I'm able to login.

Any ideas? What are the necessary steps to configure machine certificate authentication + LDAP for Anyconnect SSL VPN?

Many thanks!


Re: AnyConnect - Machine certificate authentication + LDAP AAA

Hey there, this is what I got from our KB, seems you need to have Secure Desktop to enable certificate validation follow this procedure:

To check if a machine has a certificate before the user is even prompted
for a login, you will need to use secure desktop manager.  Open up ASDM,
click on Remote Access VPN > Secure Desktop Manager > Setup and make
sure that you have secure desktop on the flash of your ASA and make sure
that the checkbox "Enable Secure Desktop" is checked.  After that has
been checked, a tab called Prelogin Policy should come up.  Click on
that and there should be a diagram that looks like the following:

Start ---->+Default

Click on the "+" sign next to the Default policy and change the check to
certificate and configure the certificate on what you want it to check

Let us know how it works.

CreatePlease to create content