[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now


AnyConnect VPN with Certificate Authentication

Posted on 2014-04-15
Medium Priority
1 Endorsement
Last Modified: 2014-04-24
Can someone shed some light on how to set up VPN Access with Certificate Authentication? ASA 5505 8.2 with AnyConnect Essentials License and Mobile License.
Question by:Strinalena
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
LVL 65

Assisted Solution

btan earned 1332 total points
ID: 40003759
Good to understand the licence aspects in what they support (or scope within). One key pt for the Essential Licence is without clientless SSL VPN (this is via the Web portal). In other words,  VPN is via the Anyconnect client installed, no web portal access (clientless). Only Premium Licence support both. Note: The portal still exists, but can only be used to download the AnyConnect Client Software.

Also for ASA 5505, it supports up to 25 simultaneous user vpn peers / session. Additionally, you can also use this licence with the AnyConnect Mobile licence for access from mobile devices like phones or tablets, this licence is an additional purchase. Overall, the “show version” will list what is available and state of the licence in the ASA

For the setup aspects, there are actually steps in CLI. But specific to the authentication type, using the certificate can be configured at the IPSec level where you need to create an ISAKMP policy in the connection profile. Pls see here and specifically on below section
"Determining an ID Method for ISAKMP Peers";
"Configuring Certificate Group Matching"

For mobile aspects, AnyConnect 3.1 is not available for mobile devices. However, you can continue to use the ASA to deploy AnyConnect 2.5 or earlier clients that do support mobile devices, even after loading the AnyConnect 3.1 package files to the ASA for web deployment. See the AnyConnect Secure Mobility Client Administrator Guides from AnyConnect 2.5, and earlier, for information about configuring the ASA to deploy AnyConnect for mobile devices.

Overall, the ADSM may be easier (hopefully). You can catch the steps here as based on 2.3 as references.

Rather tough to state all steps but hopefully the above can sum up to kickstart exploration into the approach, most of CISCO documentation should be already available in the links above.
LVL 20

Accepted Solution

rauenpc earned 668 total points
ID: 40005152
When it comes down to it, to use certificate authentication you need to install the CA root (and any intermediate certificates if needed). Then install an identity certificate on the ASA signed by the root CA. Then you configure vpn access as normal, except that the authentication method is certificate. You will need to specific which trusted root certificate to base this off of (which is set globally, see attached image), and from there the clients just need to provide a certificate that was signed by the trusted root that the ASA uses.

I had to do a fair amount of playing around before I got this to work, but once it works, it's really slick. No more entering un/pw, and then you can start setting profiles to auto connect and do trusted network detection without being super annoying.

My experience is all on IOS 9.1, so I don't know if this process is the same or as easy on 8.2. I would highly recommend that you upgrade to 8.4 or later, but this may require additional hardware and will certainly require time to make the necessary config changes.
LVL 65

Assisted Solution

btan earned 1332 total points
ID: 40005847
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 40019376
Thanks Guys! Will do my best to follow your guides. Apologies for the delay.

Author Comment

ID: 40019528
Can I Just confirm - the Authentication will only work if the ASA has a certificate signed by a CA, the root certificate from the same CA.

What about the client - in our case - an IPhone - does it need to have a personal certificate as well? If yes - how can this be achieved?
LVL 65

Expert Comment

ID: 40019569
Yes as ASA also need to validate that it is valid cert

Bu tdo note that if you are trying to use a Machine Certificate, Local Computer store instead of User store, you need to have configured your AnyConnect Profile to have the CertificateStoreOverride and ensure that the CertificateStore is All or Machine.  By Default it is set to All, however, most users do not have the rights for the Machine store and thus cannot get the certificate...Also, your web-browser would not have access to a Machine Cert either. You can also check the AnyConect Event Logs from the Windows Event Log viewer and look for a vpnui entry where the function is getNextClientCert to see if the client found your certificate. You can find out more below


For iPhone , yes user cert as well


Author Comment

ID: 40019607
thanks a lot!
LVL 65

Expert Comment

ID: 40019771
you welcome, glad to have helped

Featured Post

Will your db performance match your db growth?

In Percona’s white paper “Performance at Scale: Keeping Your Database on Its Toes,” we take a high-level approach to what you need to think about when planning for database scalability.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
In this article, we’ll look at how to deploy ProxySQL.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question