I have implemented the authentication of Anyconnect clients using digital certificates. The connection is established if I start from the browser, is not established id I start from the anyconnect client. With username and password authentication, as it was before, I could use both methods to connect.
Any suggestion ? I am using the latest version of the software.
P.S. Cisco moderator, can you tell me if this is a bug ?
It appears your certificate is in User/personal store. May be the AnyConnect is only searching for machine certificates. Double check the AnyConnect profile to scan both Machine and User certificates. If you can insert sections of the profile XML file, that would help too. Specifically, the attributes with "Certificate Store"..
Of course the certificate is in the personal store.
The standard configuration in the XML file has All, that means search all the stores. I have also tried User, that means search the personal store, but seems to have no effect. The Anyconnect Client says that will use the certificates but does not connect.
- Do you have any certificate matching rules setup in the AnyConnect profile? If so, do they match the information in the client certificates?
- Do you have Certificate to SSL VPN Connection Profile Maps configured? If so, are they properly setup to match the information in the client certificates?
- Does the ASA trust the CA the client certificates were issued by?
- Does the client certificate have the Digital Signature key usage bit set? If not, you will have to enable the deprecated feature ignore-ssl-keyusage on the CA trustpoint for SSL vpn to work. Alternately, reissue client certificates with the Digitial Signature bit set.
please note that the certificate works when I start the connection from the browser, it does work not when I start from the Anyconnect client. I have only put the asa name in the xml file, no other change. The ASA trusts the client certificate, I don't know how to check the Digital signature bit but I guess it is ok since I am using a cerificate issued by a public CA.
Moreover if I use Anyconnect v. 2.3.0254 it works. So my conclusion is that this is a bug of v 2.4.1012.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :