This last week I've been setting up an ASA5515x for the sole purpose of being our VPN concentrator. We're doing 2 factor auth with certificates and AD credentials.
For employees, we are issuing company owned laptops with device certificates installed.
For third party vendors, we are issuing user certificates
The big issue I am running into is the first login for employees. If they try to connect via Anyconnect, it returns a certificate error and after clicking okay they are prompted to select a VPN Alias. After selcting that and clicking okay, the process repeats with the cerificate error. If I change the VPN profile to strictly use AAA, they get prompted for their AD credentials and get logged in just fine. After this, I can change the VPN profile back to using both Certificates and AAA and the client can connect perfectly fine.
So, it appears that until Anyconnect downloads a profile that instructs it to dip into the Machine Certificate store, Anyconnect won't look there. I had the exact same issue when setting up the Vendors. For the Vendors it was solved by using IE to go to the web portal and logging in there. Once logged in the Anyconnect profile would download and it would work flawlessly after that.
Unfortunately the above isn't working for employees with device certificates. When trying to log into that VPN group via IE, I get a similar certificate error. I suspect it's because IE isn't dipping into the Machine certificate store to present the device certificate to the web portal.
So here I am stuck with a chicken or the egg scenario, Anyconnect needs the profile before it can connect, but it has to connect to get the profile. I suppose we could email the XML file with instructions on where to drop it, but asking our users to navigate into hidden folders on Windows would be tough.
Perhaps I am overlooking the obvious, but it seems like a poor design of Anyconnect that when it has NO PROFILE saved it won't at least try all the methods (Machine cert, user cert, etc) to get connected the first time.
This worked perfectly, after locating the screen in the Group configuration where I could specify the profile to be pushed. I then configured this group to log the user out after 1 minute and as you stated, the next time they connect they're correctly mapped to the correct Profile.
Thank you so much, you saved the rest of my weekend.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :