Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Anyconnect VPN with Microsoft CA and a Public certificate

Hi there,

 

I'm looking for a bit of help with a scenario. I'm no networking expert by any stretch and I won't be implementing this myself but I need to try and understand if what I'm looking for is possible.

We're implementing an Anyconnect VPN with certificate authentication from our own internal Microsoft CA. I have a product that will distribute certificates from a template to the mobile devices rather than the ASA itself. We've got the our CA certificate and an identity certificate on the ASA and the authentication works.

However, the Anyconnect IOS app complains of an untrusted VPN.

So from there I get that I need a public certificate on the ASA, but can I still have the Microsoft CA certificate and identity certificate doing the authentication of the end users?

I may have worded some of that wrong but I think that gives an idea of where I'm trying to go.

Any pointers would be greatly appreciated.

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Yes - IOS is a bit finicky

Yes - IOS is a bit finicky about not wanting to trust internal CA-issued certificates. You can purchase and install a certificate from a well-known public CA and use that to identify your ASA. That will be the certificate bound to the ASA outside interface and it will allow IOS-based (and all other) clients to connect using that certificate.

That part is distinct from the device or user certificates on the clients. Those can still be used and, as long as the ASA has imported the server public key and trusts the Microsoft CA, both can co-exist.

13 REPLIES
Hall of Fame Super Silver

Yes - IOS is a bit finicky

Yes - IOS is a bit finicky about not wanting to trust internal CA-issued certificates. You can purchase and install a certificate from a well-known public CA and use that to identify your ASA. That will be the certificate bound to the ASA outside interface and it will allow IOS-based (and all other) clients to connect using that certificate.

That part is distinct from the device or user certificates on the clients. Those can still be used and, as long as the ASA has imported the server public key and trusts the Microsoft CA, both can co-exist.

New Member

Thanks for the reply Marvin

Thanks for the reply Marvin.

Does that mean that my ASA will have two CA's listed?

Hall of Fame Super Silver

You're welcome.Only one

You're welcome.

Only one certificate (issued by one CA) is used as the ASA's identity certificate. 

New Member

Hi Marvin and stuart

Hi Marvin and stuart.mackillop

Was yours trouble solved?

I have problem when I deploy Asa AnyConnect for my users.Can you help me solve it?

i have internal CA Server. Asa uses the CA certificate.

With windows machine users, after trust the CA, i can easily create certificate request file , import and issue it at CA server, and export that certificate to file and import it at the user machine. User can use anyconnect with Cert.

But with mobile device users (IOS and Android), i don't know how to create certificate for them.

Pls help me slove this or Do you have any recommendations for this?

Thanks

New Member

Other than adding a layer of

Other than adding a layer of complexity with a MS CA server for distributing certificates to end users, what benefit would it be aside from adding users through AD?  What does it do that the built in CA server on the ASA doesn't?

 

Is there an advantage, or disadvantage?

Hall of Fame Super Silver

Many organizations prefer to

Many organizations prefer to administer user accounts from a central directory service.

One good reason for doing so is that there are then fewer touch points for adding and removing users - and presumably better chances that their account is removed when they are no longer with the company. They may have procedures and controls for doing so in place that allow them to better secure their infrastructure and meet regulatory or legal requirements.

If we use the ASA CA, it puts that burden on the ASA administrator. Depending on their background and the environment, they may have little or no certificate experience.

New Member

How does that work then, If

How does that work then, If the ASA issues the certificate, is it based on the Public CA that is used for the trustpoint? If the MCS issues, what is it based on, and how is the certificate then issued to the end user?

 

I have setup a certificate server on MS via third party, and it was a PITA to get working, and when something changed, it was another PITA to get resolved.

Hall of Fame Super Silver

If we use the ASA CA, it

If we use the ASA CA, it issues certificates based on its own root. That's distinct from any public CA root that may have issued an identity certificate to the ASA.

If clients' certificates are issued from an internal server (e.g. Certificate Services running on Microsoft Windows server  or some other internally-managed PKI product) they can get those certificates via the ASA (proxying web enrollment via SCEP) or have them issued deployed using an enterprise software deployment scheme. In that case, the that PKI service's root certificate must be trusted by the client - again either via manual install or via pushing the settings out remotely.

In either case, the Windows server can revoke user certificates or delete users, as necessary.

New Member

Is there a doc with this

Is there a doc with this setup for Anyconnect mobile using OnDemand for Jabber? Reason I'm asking is a customer wants to use AD for sending the certificates.

New Member

is this what you're looking

is this what you're looking for?

 

http://www.cisco.com/c/dam/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/guide_c07-717020.pdf

New Member

What I am looking for is the

What I am looking for is the configuration guide on setting up the Microsoft portion. I have the ASA fully working and sending certs, but the end user who maintains the users, cannot get ASDM to load due to Java issues, and would rather do it all through AD instead.

 

I just dont know what key words to use to look for the correct docs.

New Member

I'd suggest raising a new

I'd suggest raising a new topic then asking the question. However, you're probably looking for a microsoft document rather than a Cisco one. Then you're looking for a method to distribute your certificates to the client devices.

New Member

Spot on Marvin. explains

Spot on Marvin. explains exactly why I needed it.

I've now got my public SSL cert in place with no more annoying warnings. My internal certificates from my PKI infrastructure are working for authentication.

All seems pretty good except now I'm getting a FIPS error when the iPads connect. You fix one issue and then another appears. Thanks a lot for your help.

1209
Views
20
Helpful
13
Replies
CreatePlease login to create content