AnyConnect VPN with Certificate Authentication

Can someone shed some light on how to set up VPN Access with Certificate Authentication? ASA 5505 8.2 with AnyConnect Essentials License and Mobile License.
Who is Participating?
rauenpcConnect With a Mentor Commented:
When it comes down to it, to use certificate authentication you need to install the CA root (and any intermediate certificates if needed). Then install an identity certificate on the ASA signed by the root CA. Then you configure vpn access as normal, except that the authentication method is certificate. You will need to specific which trusted root certificate to base this off of (which is set globally, see attached image), and from there the clients just need to provide a certificate that was signed by the trusted root that the ASA uses.

I had to do a fair amount of playing around before I got this to work, but once it works, it's really slick. No more entering un/pw, and then you can start setting profiles to auto connect and do trusted network detection without being super annoying.

My experience is all on IOS 9.1, so I don't know if this process is the same or as easy on 8.2. I would highly recommend that you upgrade to 8.4 or later, but this may require additional hardware and will certainly require time to make the necessary config changes.
btanConnect With a Mentor Exec ConsultantCommented:
Good to understand the licence aspects in what they support (or scope within). One key pt for the Essential Licence is without clientless SSL VPN (this is via the Web portal). In other words,  VPN is via the Anyconnect client installed, no web portal access (clientless). Only Premium Licence support both. Note: The portal still exists, but can only be used to download the AnyConnect Client Software.

Also for ASA 5505, it supports up to 25 simultaneous user vpn peers / session. Additionally, you can also use this licence with the AnyConnect Mobile licence for access from mobile devices like phones or tablets, this licence is an additional purchase. Overall, the “show version” will list what is available and state of the licence in the ASA

For the setup aspects, there are actually steps in CLI. But specific to the authentication type, using the certificate can be configured at the IPSec level where you need to create an ISAKMP policy in the connection profile. Pls see here and specifically on below section
"Determining an ID Method for ISAKMP Peers";
"Configuring Certificate Group Matching"

For mobile aspects, AnyConnect 3.1 is not available for mobile devices. However, you can continue to use the ASA to deploy AnyConnect 2.5 or earlier clients that do support mobile devices, even after loading the AnyConnect 3.1 package files to the ASA for web deployment. See the AnyConnect Secure Mobility Client Administrator Guides from AnyConnect 2.5, and earlier, for information about configuring the ASA to deploy AnyConnect for mobile devices.

Overall, the ADSM may be easier (hopefully). You can catch the steps here as based on 2.3 as references.

Rather tough to state all steps but hopefully the above can sum up to kickstart exploration into the approach, most of CISCO documentation should be already available in the links above.
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

StrinalenaAuthor Commented:
Thanks Guys! Will do my best to follow your guides. Apologies for the delay.
StrinalenaAuthor Commented:
Can I Just confirm - the Authentication will only work if the ASA has a certificate signed by a CA, the root certificate from the same CA.

What about the client - in our case - an IPhone - does it need to have a personal certificate as well? If yes - how can this be achieved?
btanExec ConsultantCommented:
Yes as ASA also need to validate that it is valid cert

Bu tdo note that if you are trying to use a Machine Certificate, Local Computer store instead of User store, you need to have configured your AnyConnect Profile to have the CertificateStoreOverride and ensure that the CertificateStore is All or Machine.  By Default it is set to All, however, most users do not have the rights for the Machine store and thus cannot get the certificate...Also, your web-browser would not have access to a Machine Cert either. You can also check the AnyConect Event Logs from the Windows Event Log viewer and look for a vpnui entry where the function is getNextClientCert to see if the client found your certificate. You can find out more below

For iPhone , yes user cert as well
StrinalenaAuthor Commented:
thanks a lot!
btanExec ConsultantCommented:
you welcome, glad to have helped
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.