Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cert based auth with AnyConnect

Hi,

We recently purchased a certificate for our ASA to use on the outside interface, when connecting in order to get AnyConnect installed or simply use webvpn. I added it as an identity cert and the CA cert as well, and then made it the default cert for the outside interface. This all worked just fine.

Now, we want to use cert-based authentication for our AnyConnect (along with RADIUS which is already working). We have an internal Microsoft cert server, that we would like to use for this purpose. Question is... how can we use the public purchased cert on the outside interface for webvpn and AnyConnect installation and at the same time use the "internal" cert for authentication of VPN client? Is it even possible?

I've already created an internal cert and installed it on the asa along with the CA cert of our internal server. We are running version 8.2(2).

I hope someone, with a little more knowledge about this than me, can assist

Thanks in advance,

Rasmus

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Cert based auth with AnyConnect

Rasmus,

Debugging for failed attempt please, however you normally try to do this.

Can you try with and without ssl certificate-auth ... ?

Marcin

11 REPLIES
New Member

Re: Cert based auth with AnyConnect

Just found this link (which is for ver. 8.2):

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/cert_cfg.html#wp1046987

Is this what I need to do? Or is it intended for something else entirely?

/Rasmus

New Member

Re: Cert based auth with AnyConnect

I just tried the above mentioned setting, and it works when using the AnyConnect client.

But when visiting the https address of the ASA, to get the AnyConnect installed, I get a certificate auth error when logging on. It stille uses the public purchased cert here which is what I want it to, but the auth seems to try and use the authentication cert set up. This would be ok, but the problem is when opening the web site (asa) IE prompts me to select a certificate for authentication, but my computer cert (which I choose with the anyconnect client) isn't available?

Any help much appreciated!

/Rasmus

New Member

Re: Cert based auth with AnyConnect

No one?

Cisco Employee

Re: Cert based auth with AnyConnect

Rasmus,

I faced something similar before. Fault was on MS CA side at that time.Let's see now.

Can you please check from multiple browseres IE and firefox at minimum.

First of all do you see the correct cert in browsers' stores?

Marcin

New Member

Re: Cert based auth with AnyConnect

Hello Marcin - thanks for your reply.

I checked Firefox and IE7 and IE8 - all the same

If I open the cert store from IE I can only see user certificate store. Since the used cert is a computer cert, it doesn't show up.

/Rasmus

Cisco Employee

Re: Cert based auth with AnyConnect

Rasmus,

By any chance is this same deployment we used in previous thread, SBL + proxy + I guess cert auth?

Can you also install this cert into user store and test? I'm not a windows guy so I don't know if you can make IE read other cert stores.

Marcin

New Member

Re: Cert based auth with AnyConnect

Hi Marcin,

Exactly the same

I already tried that. I was able to select the certificate then, but the authentication would stille fail for some reason. If I clicked cancel and the cert selection pop-up it worked. But only with the computer cert added to the user cert store. If it wasn't there, I could not authenticate whether I clicked OK or Cancel.

/Rasmus

Cisco Employee

Re: Cert based auth with AnyConnect

Rasmus,

Long storry short ... which cert do you have in "ssl ..."

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s8.html#wp1514061

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s8.html#wp1511555


If I remember you were already running 8.2.2

A note from the case I mentioned: MS CA has certificate templates and it seems to be messing up with some part of PKI on ASA, you can probably get this working with IOS CA without problems

Can you get deb cry ca mess deb cry ca trans (100 level) during connection attempt?

Marcin

New Member

Re: Cert based auth with AnyConnect

Hi Marcin,

In the "SSL TrustPoint..." command I've got the external bought certificate.

The "SSL certificate-auth..." command is not present in my config. I've got this though:

crypto ca certificate map NAME 10

webvpn

  certificate-group-map NAME 10 PROFILE

About the debug command. Do you want this output when connecting with the AnyConnect client, or when accessing the webpage where the error occours? Also, should I click cancel in the cert selection box (if you want the browser-login debug) og click "ok" without a cert selected?

Thanks,

Rasmus

Cisco Employee

Re: Cert based auth with AnyConnect

Rasmus,

Debugging for failed attempt please, however you normally try to do this.

Can you try with and without ssl certificate-auth ... ?

Marcin

New Member

Re: Cert based auth with AnyConnect

Hi Marcin,

First of all thanks for all your assistance!

The more I've looked into this, the more it appears to me that it is an internet browser related problem. IE simply doesn't look in the computer certificates store in Windows - only the user store.

I've created a seperate thread in a Windows-forum, and hopefully I will get some answers there. Meanwhile, if anyone else run into this problem, please reply to this thread.

I will give you full ratings though Marcin, because of your assistance. I will also create another thread in here regarding CRL. This is an ASA issue - not an Internet Explorer thing, so I hope you will take a look at the thread at some point I simply can't get it working

Thanks again,

Rasmus

1961
Views
0
Helpful
11
Replies