Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

SSL VPN certificate authentication

Hello,

I'm changing SSL VPN from aaa authentication to both aaa and certs, Server 08 CA, 8.2 ASA 5510, ssl client 2.5.1025 and Windows 7 users. My question is what should be the template of the id cert that I receive from CA.

Thanks,

1 ACCEPTED SOLUTION

Accepted Solutions

SSL VPN certificate authentication

Hamood,

You can use a web server template for the certificate for the ASA.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
16 REPLIES

SSL VPN certificate authentication

Hamood,

You can use the user template, here is a guide that shows you how to configure scep and it shows the template that the ASA generates for its anyconnect clients. This example shows that you can use the same client cert for both vpn and wireless network authentication.

BYOD guide -

http://www.cisco.com/en/US/docs/solutions/Enterprise/Borderless_Networks/Unified_Access/UA_Security.html#wp1253623

Template configuration -

http://www.cisco.com/en/US/docs/solutions/Enterprise/Borderless_Networks/Unified_Access/UA_Security.html#wp1253623

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

SSL VPN certificate authentication

Thanks Tarik,

The link shows the template for the client. I will need that cert to be pushed to the Windows 7 clients via GPO etc. What should be the template for the cert that I need on the ASA?

Thanks.

SSL VPN certificate authentication

Hamood,

You can use a web server template for the certificate for the ASA.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

SSL VPN certificate authentication

Thanks Tarik,

So I modified the User template and pushed a cert created by the new template to a Win XP client. My ASA has a web server template cert from the same 2008 CA, but I can not connect, I get Certificate Validation error. On the anyconnect log I see it goes through all the certs in the machine store and then says that no valid cert was found. Also the log has entries saying it received unrecognized content type and Global_Error_Unexpected. I will regenerate and reinstall all the certificates, may be upgrade the anyconnect image and try again.

SSL VPN certificate authentication

Hamood,

If you pushed the cert through to GPO then it may have placed it in the user account store. Please use mmc to see if you can install this cert in the machine store and test again.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

SSL VPN certificate authentication

It did get pushed into the user store. I imported it into the machine store. Still got validation error.

Thanks.

SSL VPN certificate authentication

Hamood,

Do you have "ssl certificate-authentication interface interface-name port port-number"

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s8.html#wp1514061

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

SSL VPN certificate authentication

Thank you for helping me Tarik,

I do have that command configured on the outside int,  port 443.

Re: SSL VPN certificate authentication

Can you post your running configuration? We're you able to authenticate using password before?

Sent from Cisco Technical Support iPad App

Tarik Admani *Please rate helpful posts*
New Member

Re: SSL VPN certificate authentication

                   Here's the running config. If I change authentication method to aaa in connection profile I can connect fine. There's load-balancing config in there but I'm not trying to connect to the virtual IP for now.

Thanks,

Re: SSL VPN certificate authentication

See if you can download the profile editor and follow these steps:

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect25/administration/guide/ac03features.html#wpxref49627

Are you an admin on the computer? See if forcing certificate store override allows you to connect. Also can you post a screenshot of the error and a screenshot of the certificate details.

If the above step doesnt work then collect a dart bundle so we can see what is going on.

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect25/administration/guide/ac08managemonitortbs.html

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

Re: SSL VPN certificate authentication

                   Hello Tarik,

I configured a profile and specified All stores in it but it did not work. The anyconnect client finds two certs but I still get validation error.

Thanks,

SSL VPN certificate authentication

Hemood,

Can you try to manually request a user cert from the CA and then install that and the private key on the laptop? Give that a try and let me know what happens.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

SSL VPN certificate authentication

Hi Tarik,

That worked. I requested a certificate from the CA web interface manually and installed it on the laptop.

Thanks.

SSL VPN certificate authentication

After looking at the errors in the DART bundle it seems as if the private key wasnt with the certificate when it was issue to the machine. Keep in mind that the private key must be with the cert on the laptop.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

Re: SSL VPN certificate authentication

                   Yes, That was the issue. The new certificate has the private key.

Thanks.

2332
Views
5
Helpful
16
Replies
CreatePlease to create content