Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Cert and AD Authentication using AnyConnect 3.0.xxxx

Group -

I apologize in advance if this topic has already been discussed.

I have a need to utilize two factor authentication using a machine certificate and users AD crednetials.  What we would like to do is to have the ASA and AnyConnect verify the certificate exists, check against our in house CA for validity, if valid pass the user credentials to the AD servers and establish the tunnel. If not valid quarantine the session and pop a message to the user to contact the help desk ASAP. 

My guess is the following (using ASDM 6.6, ASA 8.6.1, ASA 5545-X):

1. under the connection profile I have select BOTH for authentication and added a AAA server group.

2. under Cert Management I have added the 3 certs that are present on all company mobile assets

     - Cert America

     - Cert Europe

     - Cert Root

3. I have an identity cert installed from the company CA and it is selected as the device cert under connection profiles

4.Local Cert Authority is Disabled

5.Under Remote Access>Advanced>Certs for AnyConnect>

     - I have mapped DefaultCertifiateMap pri 10 to Company_Cert connection profile

     - The mapping is looking for Subject: CN: <Contains> (string) ----where string is a common component of each Cert listed in #2.

Question #1 - Is this correct for utilizing certs and AD auth or have a missed any steps?

Users are directed to a an initial installation URL - where the AnyConnect client performs the installation and passes down the intial AC profile which auths using only AD creds.  On subsequent connections users who pass the certificate mapping check are migrated to the connection profile which uses the dual authentication method. 

Question #2 - When I attempt a new installation of AnyConnect using the two factor URL ( I recieve an error "certificate validation error" and the installation fails - for the life of me I can not figure out why????  The machine has all three certs, using IE9 as the browser.

Any assistance would be greatly appreciated.  I have read through ASA 8.4.x config guides and ASDM 6.x config guides, but have now gone RTFM blind.

Thanks in advance!

Everyone's tags (1)
Cisco Employee

Cert and AD Authentication using AnyConnect 3.0.xxxx

Good Evening ,

what happned if you connect to the Two factor authentication using standalone version . you need to be aware that connecting with clientless SSL will not have the access to the machine store of the PC . while the anyconnect can do it.

if you are still the getting certificate validation failure with the standalone connection , then we need to check the following :

is the client failing to send the certifiacte ?

is the ASA failing to verify the certificate ?

please collect the DART Tool output and post it here :



New Member

Cert and AD Authentication using AnyConnect 3.0.xxxx

Hi Mohammad

Using the client and two factor - it works wonderfully.  What I am trying to accomplish is CERT based installation on a new client.

I want the user to access the URL and then have the ASA verify the machine cert, then install the client. 

New Member

Cert and AD Authentication using AnyConnect 3.0.xxxx

Issue resolved by TAC

CreatePlease to create content