Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Cisco Anyconnect client Certificate Validation Failure

Posted on 2015-01-22
3
Medium Priority
?
24,165 Views
1 Endorsement
Last Modified: 2016-08-16
Hi there,

I am planning to move users in my organisation from a Cisco IPsec VPN to the newer Cisco AnyConnect SSL VPN client.  We are using the Cisco ASA 5510 (in failover mode).

Previously while using the IPsec client we used pre-shared keys and a AAA (active directory server).  As AnyConnect no longer supports pre-shared keys the only way for us to have two factor authentication is to use certificates.  To further confound our situation Cisco also do not support using the ASA as a local CA for the issuance of these certificates while in failover mode.  I have therefore setup a Microsoft Certificate authority.

1st of all I tested using a local CA (on the ASA itself) and issued certificates to my AnyConnect clients (with failover mode disabled - mainly did this to get the hang of it.  This worked fine - clients connect no problem.

2nd I then enabled failover again - which disabled the local CA on the ASA and issued the CA certificate from my Microsoft CA to the ASA.  I also then signed a requested certificate for the AnyConnect client and added it to the ASA.  So far so good.  I then attempted connecting by going to the ASAs external web address in my browser AsaAddress.domain.co.uk this automatically downloaded the version of AnyConnect I had uploaded to the ASA and prompted me to accept the certificate I had issued for this client.  Great!  I accepted the prompt and was connected.  All seemed to work well.

3rdly and this is my problem - I then disconnected from the VPN and attempted connecting just by using the installed VPN client. (not by browser)  No luck.  Every time I try I get "No valid certificates available for authentication" and "certificate validation failure".  This makes no sense.  In the second step I had just connected and used the same certificate I issued for the client to authenticate with?

4th - I tried again to connect by going through the browser interface (which then uses the client anyway) and it worked fine?!

So the certificate is obviously fine so why am I getting these errors when using the client?  My users will only be using the client so using the browser is not an acceptable workaround?

If anyone can help or has any ideas I would be most grateful!

I am using:

Cisco ASA 9.1(5)
AnyConnect 3.1.06073
1
Comment
Question by:robclarke41
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 1

Author Comment

by:robclarke41
ID: 40563988
Any ideas anyone? Same issue as posted here in the cisco forums https://supportforums.cisco.com/discussion/10973341/anyconnect-w-windows-7-certificate-error the fix is to apply ssl certificate-authentication interface port 443 however since the latest version of ASA software this command is not valid!
0
 
LVL 1

Accepted Solution

by:
robclarke41 earned 0 total points
ID: 40799343
added client authentication to certificate
0
 
LVL 1

Expert Comment

by:Jeff Shanahan
ID: 41758510
How you do that is:  ASDM>Configuration>Network (Client) Access>Anyconnect connection profiles>Connection Profiles>Check "SSL Enabled">Apply> save to flash.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question