Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco ASAv and AnyConnect Certificate Authentication Failer

Hi, all,

Could you please help with Anyconnect settings about Certificate Authentication. I get Certificate Validation Failure. I've put CA cert in Cisco ASA, enroll cisco ASA certificate in CA server. Also I download user certificate from CA. I disable automatic sertificate selection on AnyConnect and i manually choose my sertificate and just the same i get Certificate Validation Failure.

I achieved that i succesfully authenticate through Firefox, but through IE and Chrome i can't do it.

help please

My config and succesful authentication is bellow:

ciscoasa# debug web 255
INFO: debug webvpn  enabled at level 255.
ciscoasa# Certificate mapping found for webvpn group AnyConnectTest
Certificate mapping found for webvpn group AnyConnectTest
webvpn_allocate_auth_struct: net_handle = 0x00007fffbc909fb0
webvpn_portal.c:ewaFormSubmit_webvpn_login[3805]
webvpn_portal.c:webvpn_login_validate_net_handle[2738]
webvpn_portal.c:webvpn_login_allocate_auth_struct[2758]
webvpn_portal.c:webvpn_login_assign_app_next[2776]
webvpn_portal.c:webvpn_login_cookie_check[2792]
webvpn_portal.c:webvpn_login_set_tg_buffer_from_form[2838]
webvpn_portal.c:webvpn_login_transcend_cert_auth_cookie[2871]
webvpn_login_transcend_cert_auth_cookie: tg_cookie = 0AnyConnectTest, tg_name = 
webvpn_portal.c:webvpn_login_set_tg_cookie_form[2933]
webvpn_portal.c:webvpn_login_set_tg_cookie_querry_string[2985]
webvpn_portal.c:webvpn_login_resolve_tunnel_group[3059]
webvpn_login_resolve_tunnel_group: tgCookie = 0AnyConnectTest
webvpn_login_resolve_tunnel_group: tunnel group name from url
webvpn_login_resolve_tunnel_group: TG_BUFFER = AnyConnectTest
webvpn_portal.c:webvpn_login_negotiate_client_cert[3187]
webvpn_portal.c:webvpn_login_check_cert_status[3286]
Tunnel Group: AnyConnectTest, Client Cert Auth Success.
webvpn_portal.c:webvpn_login_cert_only[3334]
webvpn_portal.c:webvpn_login_primary_username[3359]
webvpn_login_primary_username: primary prefill suspending
webvpn_portal.c:ewaFormSubmit_webvpn_login[3805]
webvpn_portal.c:webvpn_login_validate_net_handle[2738]
webvpn_portal.c:webvpn_login_allocate_auth_struct[2758]
webvpn_portal.c:webvpn_login_assign_app_next[2776]
webvpn_portal.c:webvpn_login_cookie_check[2792]
webvpn_portal.c:webvpn_login_set_tg_buffer_from_form[2838]
webvpn_portal.c:webvpn_login_transcend_cert_auth_cookie[2871]
webvpn_login_transcend_cert_auth_cookie: tg_cookie = 0AnyConnectTest, tg_name = 
webvpn_portal.c:webvpn_login_set_tg_cookie_form[2933]
webvpn_portal.c:webvpn_login_set_tg_cookie_querry_string[2985]
webvpn_portal.c:webvpn_login_resolve_tunnel_group[3059]
webvpn_portal.c:webvpn_login_negotiate_client_cert[3187]
webvpn_portal.c:webvpn_login_check_cert_status[3286]
Tunnel Group: AnyConnectTest, Client Cert Auth Success.
webvpn_portal.c:webvpn_login_cert_only[3334]
webvpn_portal.c:webvpn_login_primary_username[3359]
webvpn_login_primary_username: primary prefill resuming, WEBVPN_AUTH_USERNAME = e=v.semenov@domain,cn=Test  User,ou=Updates,ou=Tech,ou=$$$,dc=$$$,dc=local
webvpn_portal.c:webvpn_login_primary_password[3450]
webvpn_portal.c:webvpn_login_secondary_username[3477]
webvpn_portal.c:webvpn_login_secondary_password[3560]
webvpn_portal.c:webvpn_login_extra_password[3608]
webvpn_portal.c:webvpn_login_set_cookie_flag[3627]
webvpn_portal.c:webvpn_login_set_auth_group_type[3650]
webvpn_login_set_auth_group_type: WEBVPN_AUTH_GROUP_TYPE = 4
webvpn_portal.c:webvpn_login_aaa_not_resuming[3728]
webvpn_portal.c:http_webvpn_kill_cookie[1120]
webvpn_auth.c:http_webvpn_pre_authorize[2174]
webvpn_add_auth_handle: auth_handle = 49
WebVPN: started user authorization...
webvpn_auth.c:webvpn_aaa_callback[5236]
WebVPN: AAA status = (ACCEPT)
webvpn_portal.c:ewaFormSubmit_webvpn_login[3805]
webvpn_portal.c:webvpn_login_validate_net_handle[2738]
webvpn_portal.c:webvpn_login_allocate_auth_struct[2758]
webvpn_portal.c:webvpn_login_assign_app_next[2776]
webvpn_portal.c:webvpn_login_cookie_check[2792]
webvpn_portal.c:webvpn_login_set_tg_buffer_from_form[2838]
webvpn_portal.c:webvpn_login_transcend_cert_auth_cookie[2871]
webvpn_login_transcend_cert_auth_cookie: tg_cookie = 0AnyConnectTest, tg_name = 
webvpn_portal.c:webvpn_login_set_tg_cookie_form[2933]
webvpn_portal.c:webvpn_login_set_tg_cookie_querry_string[2985]
webvpn_portal.c:webvpn_login_resolve_tunnel_group[3059]
webvpn_portal.c:webvpn_login_negotiate_client_cert[3187]
webvpn_portal.c:webvpn_login_check_cert_status[3286]
Tunnel Group: AnyConnectTest, Client Cert Auth Success.
webvpn_portal.c:webvpn_login_cert_only[3334]
webvpn_portal.c:webvpn_login_primary_username[3359]
webvpn_portal.c:webvpn_login_primary_password[3450]
webvpn_portal.c:webvpn_login_secondary_username[3477]
webvpn_portal.c:webvpn_login_secondary_password[3560]
webvpn_portal.c:webvpn_login_extra_password[3608]
webvpn_portal.c:webvpn_login_set_cookie_flag[3627]
webvpn_portal.c:webvpn_login_set_auth_group_type[3650]
webvpn_login_set_auth_group_type: WEBVPN_AUTH_GROUP_TYPE = 4
webvpn_portal.c:webvpn_login_aaa_resuming[3680]
webvpn_auth.c:http_webvpn_post_authorize[2308]
http_webvpn_post_authorize: AUTH_ACCEPT, WEBVPN_AUTH_USERNAME = e=v.semenov@domain,cn=Test User,ou=Updates,ou=Tech,ou=$$,dc=$$,dc=local
webvpn_auth.c:http_webvpn_auth_accept[2705]
Connection to group (AnyConnectTest) requires certificate - certificate found
webvpn_session.c:http_webvpn_create_session[220]
WebVPN session created!
webvpn_remove_auth_handle: auth_handle = 49
 
WebVPN Cookie:
Default Profile - profiles/AnyConnectAsav1_Client_profile.xml
Profile Hash - 358A49C9A46BC54951AA140503577B6A604BA833
webvpn_generate_profiles(): Unable to find required profile(s)!
webvpn_portal.c:ewaFormServe_webvpn_cookie[2257]
webvpn_free_auth_struct: net_handle = 0x00007fffbc909fb0
webvpn_allocate_auth_struct: net_handle = 0x00007fffbc909fb0
webvpn_free_auth_struct: net_handle = 0x00007fffbc909fb0
webvpn_allocate_auth_struct: net_handle = 0x00007fffbc909fb0
webvpn_auth.c:webvpn_auth[726]
webvpn_session.c:webvpn_update_idle_time[1832]
WebVPN: session has been authenticated.
webvpn_free_auth_struct: net_handle = 0x00007fffbc909fb0
webvpn_allocate_auth_struct: net_handle = 0x00007fffbc909fb0
webvpn_free_auth_struct: net_handle = 0x00007fffbc909fb0
webvpn_session.c:webvpn_update_idle_time[1832]
webvpn_session.c:webvpn_update_idle_time[1832]
webvpn_session.c:webvpn_update_idle_time[1832]
webvpn_session.c:webvpn_update_idle_time[1832]
webvpn_session.c:webvpn_update_idle_time[1832]
webvpn_session.c:webvpn_update_idle_time[1832]
webvpn_allocate_auth_struct: net_handle = 0x00007fffbe7990f0
webvpn_auth.c:webvpn_auth[726]
webvpn_session.c:webvpn_update_idle_time[1832]
WebVPN: session has been authenticated.
webvpn_free_auth_struct: net_handle = 0x00007fffbe7990f0
webvpn_allocate_auth_struct: net_handle = 0x00007fffbe7990f0
webvpn_free_auth_struct: net_handle = 0x00007fffbe7990f0
webvpn_session.c:webvpn_update_idle_time[1832]
webvpn_session.c:webvpn_update_idle_time[1832]
webvpn_session.c:webvpn_update_idle_time[1832]
webvpn_session.c:webvpn_update_idle_time[1832]
webvpn_session.c:webvpn_update_idle_time[1832]
webvpn_session.c:webvpn_update_idle_time[1832]
webvpn_session.c:webvpn_update_idle_time[1832]
webvpn_session.c:webvpn_update_idle_time[1832]
webvpn_allocate_auth_struct: net_handle = 0x00007fffbeaaac50
webvpn_auth.c:webvpn_auth[726]
WebVPN: session has been authenticated.
webvpn_portal.c:http_webvpn_kill_cookie[1120]
webvpn_auth.c:webvpn_auth[726]
WebVPN: session has been authenticated.
webvpn_session.c:http_webvpn_destroy_session[1661]
webvpn_free_auth_struct: net_handle = 0x00007fffbeaaac50
webvpn_allocate_auth_struct: net_handle = 0x00007fffbeaaac50
webvpn_free_auth_struct: net_handle = 0x00007fffbeaaac50
 
 

dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication telnet console LOCAL 
aaa authentication ssh console LOCAL 
http server enable
http 192.168.100.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
http redirect inside 80
no snmp-server location
no snmp-server contact
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpoint AnyConnect_VPN_2
 enrollment terminal
 fqdn 192.168.1.127
 subject-name CN=192.168.1.127,OU=Tech,O=$$$
 keypair AnyConnect_VPN_Key
 crl configure
crypto ca trustpoint AnyConnect_VPN
 enrollment terminal
 fqdn 192.168.1.127
 subject-name CN=ciscoasa
 ip-address 192.168.1.127
 keypair AnyConnect_VPN_Key
 crl configure
crypto ca trustpool policy
crypto ca certificate map AnyCon 10
 subject-name attr ou eq spb
crypto ca certificate chain AnyConnect_VPN_2
 certificate 51c79d940000000000b0
    3082060b 308204f3 a0030201 02020a51 c79d9400 00000000 b0300d06 092a8648 
    86f70d01 01050500 30423115 3013060a 09922689 93f22c64 01191605 6c6f6361 
    6c311630 14060a09 92268993 f22c6401 19160662 656c7465 6c311130 0f060355 

  quit
 certificate ca 2b532289c312d28b474f3d0e0680376b
    30820374 3082025c a0030201 0202102b 532289c3 12d28b47 4f3d0e06 80376b30 
    0d06092a 864886f7 0d010105 05003042 31153013 060a0992 268993f2 2c640119 
    16056c6f 63616c31 16301406 0a099226 8993f22c 64011916 0662656c 74656c31 
    11300f06 03550403 13084265 6c74656c 4341301e 170d3131 31303139 30383532 

  quit
crypto ca certificate chain AnyConnect_VPN
 certificate 51c79d940000000000b0
    3082060b 308204f3 a0030201 02020a51 c79d9400 00000000 b0300d06 092a8648 
    86f70d01 01050500 30423115 3013060a 09922689 93f22c64 01191605 6c6f6361 
    6c311630 14060a09 92268993 f22c6401 19160662 656c7465 6c311130 0f060355 

  quit
crypto ikev2 enable inside client-services port 443
crypto ikev2 remote-access trustpoint AnyConnect_VPN
telnet 192.168.100.0 255.255.255.0 inside
telnet timeout 5
ssh stricthostkeycheck
ssh 192.168.100.0 255.255.255.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.168.1.3 source inside
ntp server 192.168.0.3 source inside
ssl trust-point AnyConnect_VPN inside
ssl trust-point AnyConnect_VPN outside
webvpn
 enable inside
 enable outside
 anyconnect image disk0:/anyconnect-win-3.0.2052-k9.pkg 1
 anyconnect image disk0:/anyconnect-win-3.1.03103-k9.pkg 2
 anyconnect profiles AnyConnectAsav1_Client_profile disk0:/anyconnectasav1_client_profile.xml
 anyconnect profiles AnyConnectTest_client_profile disk0:/AnyConnectTest_client_profile.xml
 anyconnect enable
 tunnel-group-list enable
 tunnel-group-preference group-url
 internal-password enable
 smart-tunnel list AllExternalApplications All-Applications * platform windows
 smart-tunnel list Smart-Applic-List RDP mstsc.exe platform windows
 certificate-group-map AnyCon 10 AnyConnectTest
group-policy GroupPolicy_AnyConnectTest internal
group-policy GroupPolicy_AnyConnectTest attributes
 banner value You connect to ASAv_1
 wins-server none
 dns-server value 8.8.8.8
 vpn-tunnel-protocol ikev1 ikev2 ssl-client ssl-clientless
 group-lock value AnyConnectTest
 split-tunnel-policy excludespecified
 split-tunnel-network-list value Splite
 default-domain value $$$
 webvpn
  anyconnect profiles value AnyConnectAsav1_Client_profile type user
  smart-tunnel auto-start AllExternalApplications
username user1 password tJsDL6po9m1UFs.h encrypted privilege 15
username user3 password cmIVqIrgboX9/Nz/ encrypted
username user3 attributes
 service-type remote-access
username user2 password G1SInyx0A0./Dx3t encrypted
username user2 attributes
 service-type remote-access
 service-type remote-access
tunnel-group AnyConnectTest type remote-access
tunnel-group AnyConnectTest general-attributes
 address-pool AnyConnectPool_1
 default-group-policy GroupPolicy_AnyConnectTest
 username-from-certificate use-entire-name
tunnel-group AnyConnectTest webvpn-attributes
 authentication certificate
 group-alias AnyConnectTest enable
tunnel-group-map enable rules
tunnel-group-map default-group AnyConnectTest
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous

Everyone's tags (1)
9 REPLIES
Hall of Fame Super Silver

The ASA 1000v does not

The ASA 1000v does not support remote access VPN. Reference.

New Member

Hello, Marvin,your reference

Hello, Marvin,

your reference says the opposite

ASAv with 1 Virtual CPU

  • IPsec remote access VPN using IKEv2:

 Standard license: 2 sessions.

 Premium license: 250 sessions.

  • IPsec remote access VPN using IKEv1 and IPsec site-to-site VPN using IKEv1 or IKEv2:

Standard and Premium licenses: 250 sessions.

Hall of Fame Super Silver

The ASAv and ASA 1000v are

The ASAv and ASA 1000v are not the same. The ASA 1000v runs within the data center as a sort of a plug-in on the Nexus 1000v switch and is a firewall designed primarily to protect 'east-west' traffic between servers. The ASAv is a virtual ASA and supports a more complete set of features, including remote access VPN. 

New Member

Marvin,i'm sorry because i

Marvin,

i'm sorry because i was wrong in name of this discussion, i'm talking about ASAv... Do you see any errors in config which can be reason of sertificate validation failure?

Hall of Fame Super Silver

OK.Can you confirm from

OK.

Can you confirm from examining the client certificate that the Organizational Unit (OU) is set to "spb"?

Are you also seeing the username on the client certificate as one of your configured users (user1, user2 or user3)?

You may find this link useful. It's about IKEv2 and certificate authentication but the certificate bits should be pretty much identical.

New Member

Marvin,OU is set to spb, see

Marvin,

OU is set to spb, see attached screenshot please.

I'm using domain user ID so on Cisco ASAv i created user, which username is the same how in user certificate (see attached screenshot).

username v.semenov@domain password <password>

I used AnyConnect wizard and all configuration regarding ikev2 and etc is correct. Most of imazing is cartificate validation is successful through Mozilla and in attached logs see what Mozilla automaticly using v.semenov@domain account.

Hall of Fame Super Silver

Hmm OK. It's looking like a

Hmm OK. It's looking like a potential bug on the client side.

If you're using AnyConnect perhaps you can use the Diagnostic and Reporting Tool (DART) module) and open a case with Cisco. They can run that through their debug analyzers to get a better idea of the root cause.

New Member

Marvin,i got a new results.My

Marvin,

i got a new results.

My user certificate was without included private key. I requested new certificate through mmc console and succesfully got certificate with private key and I'm succesfully authenticated but only once! I can succesfully authenticated through any browsers, but now i can't connect through Anyconnect client.

Debug show this info:

ciscoasa# debug webvpn 255
INFO: debug webvpn  enabled at level 255.

I'm trying to connect
ciscoasa# Certificate mapping found for webvpn group AnyConnectTest

 

New Member

All works properly when i try

All works properly when i try to setup certificate authentication on asa version 931, not 922.

720
Views
0
Helpful
9
Replies
CreatePlease login to create content