cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
921
Views
0
Helpful
4
Replies

Anyconnect with MS CA authentication

Bel Marsad
Level 1
Level 1

Hi dear,

Can someone answer this open point:

https://supportforums.cisco.com/message/3193572#3193572

Thanks

4 Replies 4

Herbert Baerten
Cisco Employee
Cisco Employee

Hi Bel,

it seems that in that thread, the original poster manged to get his setup working. Did his explanation help you as well or do you still need help? If so could you please summarize your current situation?

Herbert

Hi Herber,

Thanks for your reply.

So I found the solutions to use user certificate instead of client certificate, as described by the original poster, MS IE look only for user certificate store, but this is not confirmed, so if this affirmation is correct why Cisco let us choice between user and machine certificate.

Everything works well now for me using user certificate, except the SBL, I think using user certificate SBL doesn’t works because the user didn’t authenticated yet and anyconnect doesn’t know which user certificate it has to check/see. For this reason also would be great to use machine certificate.

if you have some advice about this would be great.

Bel

Hi Bel,

I'm not sure I understand your first point/question. IE only uses user certificates, Anyconnect allows you the choice between user of machine certs.

As for SBL, there you indeed need a certificate in the machine store because the user is not logged in yet and so he cannot access the user store.

Most customers using this kind will use the pre-depolyed anyconnect client instead of weblaunch, since you need to install the Gina package anyway you might just as well install the client? So in that case you don't need IE to launch anyconnect, and there is no user vs. machine store issue.

Does this help?

Herbert

Hello,

Thanks again for your answer and time.

I was questioning about why Cisco don’t put remark in their doc about MS IE? I mean if a web browser can only look at user certificate, they have to put somewhere in the doc to tell us that we have to use only user certificate in case we want to authenticate user during the web lunching process.

About the pre deployment you are absolutely right, but we have a lot users outside of company that we would like to use the web interface to install client on their laptop, this is why if I choice machine certificate for all our staff, those remote staff cannot authenticate by web interface, and the solutions is to create another profiles for them with user certificate.

For the SBL I haven’t checked yet if its work with machine certificate, I will but additional comment here to confirm If its work or not.

Thanks for your help

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: