AnyConnect VPN with Certificate Authentication

Posted on 2014-04-15
1 Endorsement
Last Modified: 2014-04-24
Can someone shed some light on how to set up VPN Access with Certificate Authentication? ASA 5505 8.2 with AnyConnect Essentials License and Mobile License.
Question by:Strinalena
  • 4
  • 3
LVL 63

Assisted Solution

btan earned 333 total points
ID: 40003759
Good to understand the licence aspects in what they support (or scope within). One key pt for the Essential Licence is without clientless SSL VPN (this is via the Web portal). In other words,  VPN is via the Anyconnect client installed, no web portal access (clientless). Only Premium Licence support both. Note: The portal still exists, but can only be used to download the AnyConnect Client Software.

Also for ASA 5505, it supports up to 25 simultaneous user vpn peers / session. Additionally, you can also use this licence with the AnyConnect Mobile licence for access from mobile devices like phones or tablets, this licence is an additional purchase. Overall, the “show version” will list what is available and state of the licence in the ASA

For the setup aspects, there are actually steps in CLI. But specific to the authentication type, using the certificate can be configured at the IPSec level where you need to create an ISAKMP policy in the connection profile. Pls see here and specifically on below section
"Determining an ID Method for ISAKMP Peers";
"Configuring Certificate Group Matching"

For mobile aspects, AnyConnect 3.1 is not available for mobile devices. However, you can continue to use the ASA to deploy AnyConnect 2.5 or earlier clients that do support mobile devices, even after loading the AnyConnect 3.1 package files to the ASA for web deployment. See the AnyConnect Secure Mobility Client Administrator Guides from AnyConnect 2.5, and earlier, for information about configuring the ASA to deploy AnyConnect for mobile devices.

Overall, the ADSM may be easier (hopefully). You can catch the steps here as based on 2.3 as references.

Rather tough to state all steps but hopefully the above can sum up to kickstart exploration into the approach, most of CISCO documentation should be already available in the links above.
LVL 20

Accepted Solution

rauenpc earned 167 total points
ID: 40005152
When it comes down to it, to use certificate authentication you need to install the CA root (and any intermediate certificates if needed). Then install an identity certificate on the ASA signed by the root CA. Then you configure vpn access as normal, except that the authentication method is certificate. You will need to specific which trusted root certificate to base this off of (which is set globally, see attached image), and from there the clients just need to provide a certificate that was signed by the trusted root that the ASA uses.

I had to do a fair amount of playing around before I got this to work, but once it works, it's really slick. No more entering un/pw, and then you can start setting profiles to auto connect and do trusted network detection without being super annoying.

My experience is all on IOS 9.1, so I don't know if this process is the same or as easy on 8.2. I would highly recommend that you upgrade to 8.4 or later, but this may require additional hardware and will certainly require time to make the necessary config changes.
LVL 63

Assisted Solution

btan earned 333 total points
ID: 40005847
Flexible connectivity for any environment

The KE6900 series can extend and deploy computers with high definition displays across multiple stations in a variety of applications that suit any environment. Expand computer use to stations across multiple rooms with dynamic access.


Author Comment

ID: 40019376
Thanks Guys! Will do my best to follow your guides. Apologies for the delay.

Author Comment

ID: 40019528
Can I Just confirm - the Authentication will only work if the ASA has a certificate signed by a CA, the root certificate from the same CA.

What about the client - in our case - an IPhone - does it need to have a personal certificate as well? If yes - how can this be achieved?
LVL 63

Expert Comment

ID: 40019569
Yes as ASA also need to validate that it is valid cert

Bu tdo note that if you are trying to use a Machine Certificate, Local Computer store instead of User store, you need to have configured your AnyConnect Profile to have the CertificateStoreOverride and ensure that the CertificateStore is All or Machine.  By Default it is set to All, however, most users do not have the rights for the Machine store and thus cannot get the certificate...Also, your web-browser would not have access to a Machine Cert either. You can also check the AnyConect Event Logs from the Windows Event Log viewer and look for a vpnui entry where the function is getNextClientCert to see if the client found your certificate. You can find out more below

For iPhone , yes user cert as well

Author Comment

ID: 40019607
thanks a lot!
LVL 63

Expert Comment

ID: 40019771
you welcome, glad to have helped

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
policy based routing with recursive added - Cisco 1 62
Top honey pots & reviews of canary 7 58
Bandwidth cap???? 8 61
Web content filtering solution 6 30
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
David Varnum recently wrote up his impressions of PRTG, based on a presentation by my colleague Christian at Tech Field Day at VMworld in Barcelona. Thanks David, for your detailed and honest evaluation!
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question