AnyConnect VPN with Certificate Authentication

Posted on 2014-04-15
1 Endorsement
Last Modified: 2014-04-24
Can someone shed some light on how to set up VPN Access with Certificate Authentication? ASA 5505 8.2 with AnyConnect Essentials License and Mobile License.
Question by:Strinalena
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
LVL 64

Assisted Solution

btan earned 333 total points
ID: 40003759
Good to understand the licence aspects in what they support (or scope within). One key pt for the Essential Licence is without clientless SSL VPN (this is via the Web portal). In other words,  VPN is via the Anyconnect client installed, no web portal access (clientless). Only Premium Licence support both. Note: The portal still exists, but can only be used to download the AnyConnect Client Software.

Also for ASA 5505, it supports up to 25 simultaneous user vpn peers / session. Additionally, you can also use this licence with the AnyConnect Mobile licence for access from mobile devices like phones or tablets, this licence is an additional purchase. Overall, the “show version” will list what is available and state of the licence in the ASA

For the setup aspects, there are actually steps in CLI. But specific to the authentication type, using the certificate can be configured at the IPSec level where you need to create an ISAKMP policy in the connection profile. Pls see here and specifically on below section
"Determining an ID Method for ISAKMP Peers";
"Configuring Certificate Group Matching"

For mobile aspects, AnyConnect 3.1 is not available for mobile devices. However, you can continue to use the ASA to deploy AnyConnect 2.5 or earlier clients that do support mobile devices, even after loading the AnyConnect 3.1 package files to the ASA for web deployment. See the AnyConnect Secure Mobility Client Administrator Guides from AnyConnect 2.5, and earlier, for information about configuring the ASA to deploy AnyConnect for mobile devices.

Overall, the ADSM may be easier (hopefully). You can catch the steps here as based on 2.3 as references.

Rather tough to state all steps but hopefully the above can sum up to kickstart exploration into the approach, most of CISCO documentation should be already available in the links above.
LVL 20

Accepted Solution

rauenpc earned 167 total points
ID: 40005152
When it comes down to it, to use certificate authentication you need to install the CA root (and any intermediate certificates if needed). Then install an identity certificate on the ASA signed by the root CA. Then you configure vpn access as normal, except that the authentication method is certificate. You will need to specific which trusted root certificate to base this off of (which is set globally, see attached image), and from there the clients just need to provide a certificate that was signed by the trusted root that the ASA uses.

I had to do a fair amount of playing around before I got this to work, but once it works, it's really slick. No more entering un/pw, and then you can start setting profiles to auto connect and do trusted network detection without being super annoying.

My experience is all on IOS 9.1, so I don't know if this process is the same or as easy on 8.2. I would highly recommend that you upgrade to 8.4 or later, but this may require additional hardware and will certainly require time to make the necessary config changes.
LVL 64

Assisted Solution

btan earned 333 total points
ID: 40005847
Is your NGFW recommended by NSS Labs?

Ours is! NSS Labs Next Generation Firewall Test gives the WatchGuard Firebox M4600 a "Recommended" rating! Curious where your NGFW landed on the  Security Value Map? See the map and download the full report today!


Author Comment

ID: 40019376
Thanks Guys! Will do my best to follow your guides. Apologies for the delay.

Author Comment

ID: 40019528
Can I Just confirm - the Authentication will only work if the ASA has a certificate signed by a CA, the root certificate from the same CA.

What about the client - in our case - an IPhone - does it need to have a personal certificate as well? If yes - how can this be achieved?
LVL 64

Expert Comment

ID: 40019569
Yes as ASA also need to validate that it is valid cert

Bu tdo note that if you are trying to use a Machine Certificate, Local Computer store instead of User store, you need to have configured your AnyConnect Profile to have the CertificateStoreOverride and ensure that the CertificateStore is All or Machine.  By Default it is set to All, however, most users do not have the rights for the Machine store and thus cannot get the certificate...Also, your web-browser would not have access to a Machine Cert either. You can also check the AnyConect Event Logs from the Windows Event Log viewer and look for a vpnui entry where the function is getNextClientCert to see if the client found your certificate. You can find out more below

For iPhone , yes user cert as well

Author Comment

ID: 40019607
thanks a lot!
LVL 64

Expert Comment

ID: 40019771
you welcome, glad to have helped

Featured Post

Webinar: Aligning, Automating, Winning

Join Dan Russo, Senior Manager of Operations Intelligence, for an in-depth discussion on how Dealertrack, leading provider of integrated digital solutions for the automotive industry, transformed their DevOps processes to increase collaboration and move with greater velocity.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Read about achieving the basic levels of HRIS security in the workplace.
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question