Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Authentication with certificates

I have implemented the authentication of Anyconnect clients using digital certificates. The connection is established if I start from the browser, is not established id I start from the anyconnect client. With username and password authentication, as it was before, I could use both methods to connect.

Any suggestion ? I am using the latest version of the software.

Regards

P.S. Cisco moderator, can you tell me if this is a bug ?

6 REPLIES
Silver

Re: Authentication with certificates

It appears your certificate is in User/personal store. May be the AnyConnect is only searching for machine certificates. Double check the AnyConnect profile to scan both Machine and User certificates. If you can insert sections of the profile XML file, that would help too. Specifically, the attributes with "Certificate Store"..

New Member

Re: Authentication with certificates

Hi,

Thanks for your reply.

Of course the certificate is in the personal store.

The standard configuration in the XML file has All, that means search all the stores. I have also tried User, that means search the personal store, but seems to have no effect. The Anyconnect Client says that will use the certificates but does not connect.

Giovanni

Silver

Re: Authentication with certificates

Then it appears like a bug with AnyConnect. What did the TAC say?

New Member

Re: Authentication with certificates

I do not have, currently, a maintenance contract., so I cannot contact the TAC. Hopefully the moderator will do something ...

New Member

Re: Authentication with certificates

- Do you have any certificate matching rules setup in the AnyConnect profile?  If so, do they match the information in the client certificates?

- Do you have Certificate to SSL VPN Connection Profile Maps configured?  If so, are they properly setup to match the information in the client certificates?

- Does the ASA trust the CA the client certificates were issued by?

- Does the client certificate have the Digital Signature key usage bit set?  If not, you will have to enable the deprecated feature ignore-ssl-keyusage on the CA trustpoint for SSL vpn to work.  Alternately, reissue client certificates with the Digitial Signature bit set.

New Member

Re: Authentication with certificates

Hi Jim,

please note that the certificate works when I start the connection from the browser, it does work not when I start from the Anyconnect client. I have only put the asa name in the xml file, no other change. The ASA trusts the client certificate, I don't know how to check the Digital signature bit but I guess it is ok since I am using a cerificate issued by a public CA.

Moreover if I use Anyconnect v. 2.3.0254 it works. So my conclusion is that this is a bug of v 2.4.1012.

515
Views
0
Helpful
6
Replies
CreatePlease login to create content