AAA and Certificate Based VPN

Similar Messages

• AAA and Role based access (NPS)

  Hi
  I authenticate all my cisco switches and routers with AAA + NPS + AD
  A server runs NPS service with cisco attribute shell:priv-lvl=15 or 5, depending of AD group.
  But I'd like configure role based with IOS view.
  When I issue the enable view command,  I get
  Password:
  I tried with my AD password, enable configurated password, and always gets
  % Authentication failed
  Mi line vty config
  line vty 0 4
  authorization exec VTY-AAA
  login authentication VTY-AAA
  transport input ssh

  Have you gone through the below listed parser view configuration example. Please check here
  View authentication is performed by an external authentication server via the new attribute "cli-view-name" so you need to use cisco-av-pair as cli-view-name=xxxx
  AAA authentication associates only one view name to a particular user; that is, only one view name can be configured for a user in an authentication server.
  In case you still have any issues, run debug parser view and share the output, I'll try to help.
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• Transition to Certificate Based Authentication

  Hello,
  I was hoping someone could help provide some insight into a question I have. We are in the process of rolling out a new Mobile Device Management system that will give us the ability to insert User Certificates on the mobile devices. 
  My question is: While we are in transition to this system, is it possible to have both Digest AND Certificate Based authentication working on Exchange (2010) without causing service disruption to the devices that have not yet been migrated to the new MDM
  system?
  Thank you in advance,
  Ryan

  Hi,
  Reporting Services uses the HTTP SSL (Secure Sockets Layer) service to establish encrypted connections to a report server. If you have certificate (.cer) file installed in a local certificate store on the report server computer, you can bind the certificate
  to a Reporting Services URL reservation to support report server connections through an encrypted channel.
  Server certificates are installed on the Web server and typically require no additional configuration on the clients. Server certificates allow the clients to verify the identity of the server.
  Because, some Web sites and applications might require client certificates. Client certificates are installed on the client and allow the server to authenticate the clients. For more information about configuring client certificates, see
  Enabling Client Certificates in IIS 6.0 . But Client certificates is not supported in the SSRS 2005 later version. So SSRS 2008 R2 will not allow the server to authenticate the clients.
  More details information in article below for your reference:
  Configuring a Report Server for Secure Sockets Layer (SSL) Connections
  If you still have any problem, please feel free to ask.
  Regards,
  Vicky Liu
  Vicky Liu
  TechNet Community Support

• User Password vs. Certificate based authentication

  We have used the iPhone since day one and grown from 20 to 400 users over the years. Now managability is an issue and certificate based authentication is about to be replaced with user password only. Critics deny cutting some slack because of possible man in the middle attack scenarios. Is it true that user password can be exposed between the device and exchange server? Is it possible to read User/Password using a man in the middle attack?

  We have used the iPhone since day one and grown from 20 to 400 users over the years. Now managability is an issue and certificate based authentication is about to be replaced with user password only. Critics deny cutting some slack because of possible man in the middle attack scenarios. Is it true that user password can be exposed between the device and exchange server? Is it possible to read User/Password using a man in the middle attack?

• [IMAP SSL] Certificate-Based Login problems

  Hi,
  I am trying to set up a Certificate-Based Login authentication for an installation of Java Messaging Server 7 Update 3 over Solaris x86 64bit platform.
  The objetive is to allow a client to establish an SSL session using a certificate that has been issued by a CA that the server has established as trusted and then grant access to the user without providing his password.
  In my installation, unfortunately password is allways required to login any user. These are the steps I have made:
  1. Add the CA-signed server certificate.
  2. Add the trusted Certificate Authority.
  3. Turn on all cipher suites including the weak ones.
  4. Enable SSL
  ./configutil -o service.imap.enablesslport -v yes
  ./configutil -o service.imap.enable -v 1
  ./configutil -o service.imap.sslport -v 993
  ./configutil -o service.imap.sslusessl -v yes
  ./configutil -o encryption.rsa.nssslpersonalityssl -v "Product-Cert" (where Product-Cert is my CA signed server certificate)
  5. Check with the netstat command to verify that the service is running.
  bash-3.00# ./configutil -o service.imap.sslport
  993
  bash-3.00# netstat -an | grep 993
  *.993 *.* 0 0 49152 0 LISTEN
  Once I have taken these steps, when I use a client to establish an SSL session with a PKCS#12 certificate installed (signed by the same CA trusted by MS and the email address in your users' certificates matches the email address in a users' directory entry) the connection is correct stablished using the port 993 but it is allways necessary to login with password to grant access.
  The imap logs seems to show that the MS is not requesting the user's certificate from the client, because allways shows "plaintext authentication" (this correspond a try to access to the user's inbox without Login).
  [10/Mar/2010:10:31:38 -0100] goody imapd[2623]: Account Notice: badlogin: [192.168.169.12:1595] plaintext llcc authentication failure
  [10/Mar/2010:10:31:41 -0100] goody imapd[2623]: Account Notice: close [192.168.169.12:1595] [unauthenticated] 2010/3/10 10:31:37 0:00:04 41 907 0
  [10/Mar/2010:10:32:21 -0100] goody imapd[2623]: Network Error: Socket error [192.168.169.12:2226] : I/O function error
  [10/Mar/2010:10:32:21 -0100] goody imapd[2623]: Account Notice: close [192.168.169.12:2226] [unauthenticated] 2010/3/10 10:31:56 0:00:25 11 511 0
  Also there are some error logs related to the Ciphers:
  [10/Mar/2010:10:30:39 -0100] goody imapd[2623]: General Error: SSL initialization error: Unable to enable SSL cipher suite: TLS_RSA_EXPORT1024_WITH_RC4_56_SH
  A (0x0064)
  (-8186)
  Please, Can you help me to discover if there is something wrong in my configuration?
  Thanks in advance.
  Kind Regards,
  Luis

  Thanks for your reply Shane.
  Yes, I have configured the client to use port 993. I think the problem is in the Multiplexor configuration, after finished, I allways get this Log message in the ImapProxy Logs:
  [15/Mar/2010:17:25:10 -0100] goody ImapProxy[1865]: General Error: (id 455) Connection limit reached for client IP 192.168.169.108
  [15/Mar/2010:17:25:22 -0100] goody ImapProxy[1865]: General Error: (id 477) Connection limit reached for client IP 192.168.169.108
  [15/Mar/2010:17:25:37 -0100] goody ImapProxy[1865]: General Error: (id 499) Connection limit reached for client IP 192.168.169.108
  Where 192.168.169.108 is the IP of the server where MS is installed. The strange thing is that there are no connections established becacause this is a development environment, when I try to check the IMAP port (not ssl) I find a strange behaviour:
  bash-3.00# telnet localhost 143
  Trying 192.168.169.108...
  Connected to goody.
  Escape character is '^]'.
  * OK [CAPABILITY IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS CHILDREN BINARY UNSELECT SORT CATENATE URLAUTH LANGUAGE ESEARCH ESORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ENABLE QRESYNC CONTEXT=SEARCH CONTEXT=SORT WITHIN SASL-IR XSENDER X-NETSCAPE XSERVERINFO AUTH=PLAIN STARTTLS] Messaging Multiplexor (Sun Java(tm) System Messaging Server 7.3-11.01 (built Sep 1 2009))
  . login llcc LLCC_PASSWORD
  Connection to goody closed by foreign host.
  The ConnLimits parameter is set to default in the ImapProxyAService.cfg (i.e. default:ConnLimits 0.0.0.0|0.0.0.0:20).
  Also I have set this values not present in the link: http://wikis.sun.com/display/CommSuite/Configuring+Encryption+and+Certificate-Based+Authentication#ConfiguringEncryptionandCertificate-BasedAuthentication-ToSetUpCertificateBasedLogin
  configutil -o local.mmp.enable -v 1
  configutil -o local.store.enable -v 0
  configutil -o local.imta.enable -v 0
  configutil -o local.http.enable -v 0
  Any idea?
  One question more. I have read that Store Administrators have proxy authentication privileges to any service (POP, IMAP, HTTP, or SMTP), which means they can authenticate to any service using the privileges of any user. The question is: Is there any way for the Store Administrator to access to the mailbox of all the users using the IMAP protocol?
  Thanks a lot for your help,
  Best Regards,
  Luis

• NPS and Cisco ASA 5510 - AnyConnect Certificate based authentication

  Hi everyone,
  Hoping someone can help please.
  We're trying to go for a single VPN solution at our company, as we currently have a few through, when buying other companies.
  We're currently running a 2008 R2 domain, so we're looking at NPS and we have Cisco ASA 5510 devices for the VPN side.
  What we would like to achieve, is certificate based authentication. So, user laptop has certificate applied via group policy based on domain membership and group settings, then user goes home. They connect via Cisco AnyConnect via the Cisco ASA 5510 and
  then that talks to MS 2008 R2 NPS and authenticates for VPN access and following that, network connectivity.
  Has anyone implemented this before and if so, are there any guides available please?
  Many Thanks,
  Dean.

  Hi Dean,
  Thanks for posting here.
  Yes, this is possible . But we have guide about a sample that using Windows based server (RRAS) to act as VPN server and working with Windows RADIUS/NPS server and use certificate based authentication method (Extensible Authentication Protocol-Transport
  Layer Security (EAP-TLS) or PEAP-TLS without smart cards) for reference :
  Checklist: Configure NPS for Dial-Up and VPN Access
  http://technet.microsoft.com/en-us/library/cc754114.aspx
  Thanks.
  Tiger Li
  Tiger Li
  TechNet Community Support

• L2TP based VPN with OpenS/WAN server, OpenSSL machine certificates

  I cannot seem to get OSX to accept the machine certificates for a VPN connection using Internet Connect.
  I have generated OpenSSL x509 certificates for the server and client side, the same process has generated certificates that work just dandy with WindowsXP. The certificates have "subjectAltName=" key/value pairs assigned to the IP address of the VPN server.
  Once generated I import the certificates into OS X (you have to run KeyChain Access with "sudo" from the console to get this to work). The certificate authority seems to be ok, the CA has been added to the x509Roots, and when I examine the machine certificate for my OS X install using KeyChain Access the certificate is marked valid.
  I generated the hash link for the certificate:
  ln -s /etc/racoon/certs/certname.pem /etc/racoon/certs/'openssl x509 -noout -in certname.pem'.0
  From the console I run '
  openssl verify certname.pem
  It fails unless I specify '-CAPath /etc/racoon/certs', then it passes.
  When Internet Connect is setup to use the certificates I can see in the OpenS/WAN logs that the OS X box connects and negotiates IPSEC to MAIN_3. At this point pluto logs the following:
  ignoring informational payload, type INVALIDCERTAUTHORITY
  This repeats for several re-tries before the OS X side gives up. No useful logging is generated on the OS X side for me to debug, and everything from the OpenS/WAN side seems to be kosher, it appears to be an oakley/racoon issue with validating the machine certificate provided by OpenS/WAN to the OS X side, with the OS X side unable to verify the certificate.
  Has anyone solved this? Any ideas on how to improve the logging output from OS X so I can see what racoon/oakley is carping about in the certificate files it is using?

  I'm having the same problem. I've got a machine cert on my Mac OS 10.4.6 client that was issued by my Win2003 CA. When I try and connect, it just hangs and then dies. In the Security Logs on the 2003 L2TP server, I even see a successful IKE negotiation (MS Event ID 541 and 543 below).
  EventID 541:
  IKE security association established.
  Mode:
  Key Exchange Mode (Main Mode)
  Peer Identity:
  Certificate based Identity.
  Peer Subject C=US, S=City, L=State, O=Company, OU=group, CN=machine.subdomain.company.com, E=[email protected]
  Peer SHA Thumbprint peerthumbrint
  Peer Issuing Certificate Authority O=company.com, CN=Certificate Authority
  Root Certificate Authority O=company.com, CN=Certificate Authority
  My Subject CN=server.subdomain.company.com
  My SHA Thumbprint mythumbrint
  Peer IP Address: x.x.x.x
  Filter:
  Source IP Address x.x.x.x
  Source IP Address Mask 255.255.255.255
  Destination IP Address x.x.x.x
  Destination IP Address Mask 255.255.255.255
  Protocol 0
  Source Port 0
  Destination Port 0
  IKE Local Addr x.x.x.x
  IKE Peer Addr x.x.x.x
  IKE Source Port 500
  IKE Destination Port 500
  Peer Private Addr
  Parameters:
  ESP Algorithm Triple DES CBC
  HMAC Algorithm SHA
  Lifetime (sec) 3600
  MM delta time (sec) 1
  EventID 543:
  IKE security association ended.
  Mode: Key Exchange (Main mode)
  Filter:
  Source IP Address X.X.X.X
  Source IP Address Mask 255.255.255.255
  Destination IP Address X.X.X.X
  Destination IP Address Mask 255.255.255.255
  Protocol 0
  Source Port 0
  Destination Port 0
  IKE Local Addr X.X.X.X
  IKE Peer Addr X.X.X.X
  IKE Source Port 500
  IKE Destination Port 500
  Peer Private Addr
  At least give me a some methods to debug with.

• Certificate based S2S VPN

  Hi all!
  Please give me advice in the problem below:
  Exist a device in the Small business portfolio which allows certificate based authentication (not only PSK) in S2S VPN?
  Or which is the first/cheapest device that support this function?
  We have to connect a device (remote site) to a Checkpoint firewall (central site) over S2S VPN.
  On the remote site NO fixed IP address. And our contact person sad,  the Checkpoint support this type of connection only with certificate.
  (PSK is not allowed, only with fixed IP)
  Thanks,

  You are on the right track. Client certificates plus OTP authentication methods is one of the most secure ways to setup remote access VPN on the ASA.
  For revocation, the ASA will generally check the CRLs on the issuing CA. (or in rare cases use OCSP)
  For your second post, you use connection-profiles (i.e. pre-login selection) to configure the different authentication methods for your two (or more) use cases.
  You might want to invest in the certifcation guide for the CCNP VPN exam: 
  CCNP Security VPN 642-648 Official Cert Guide (2nd Edition)
  Even though that exam is being retired next month, it has a wealth of information that complements the configuration guides with a more comprehensive explanation of just the type of questions you are asking.

• ASA 8.0 VPN cluster with WEBVPN and Certificates

  I'm looking for advice from anyone who has implemented or tested ASA 8.0 in a VPN cluster using WebVPN and the AnyConnect client. I have a stand alone ASA configured with a public certificate for SSL as vpn.xxxx.org, which works fine.
  According to the config docs for 8.0, you can use a FQDN redirect for the cluster so that certificates match when a user is sent to another ASA.
  Has anyone done this? It looks like each box will need 2 certificates, the first being vpn.xxxx.org and the second being vpn1.xxxx.org or vpn2.xxxx.org depending on whether this is ASA1 or ASA2. I also need DNS forward and reverse entries, which is no problem.
  I'm assuming the client gets presented the appropriate certificate based on the http GET.
  Has anyone experienced any issues with this? Things to look out for migrating to a cluster? Any issues with replicating the configuration and certificate to a second ASA?
  Example: Assuming ASA1 is the current virtual cluster master and is also vpn1.xxxx.org. ASA 2 is vpn2.xxxx.org. A user browses to vpn.xxxx.org and terminates to ASA1, the current virtual master. ASA1 should present the vpn.xxxx.org certificate. ASA1 determines that it has the lowest load and redirects the user to vpn1.xxxx.org to terminate the WebVPN session. The user should now be presented a certificate that matches vpn1.xxxx.org. ASA2 should also have the certificate for vpn.xxxx.org in case it becomes the cluster master during a failure scenario.
  Thanks,
  Mark

  There is a bug associated with this issue: CSCsj38269. Apparently it is fixed in the iterim release 8.0.2.11, but when I upgraded to 8.0.3 this morning the bug is still there.
  Here are the details:
  Symptom:
  ========
  ASA 8.0 load balancing cluster with WEBVPN.
  When connecting using a web browser to the load balancing ip address or FQDN,
  the certifcate send to the browser is NOT the certificate from the trustpoint
  assigned for the load balancing using the
  "ssl trust-point vpnlb-ip" command.
  Instead its using the ssl trust-point certificate assigned to the interface.
  This will generate a certificate warning on the browser as the URL entered
  on the browser does not match the CN (common name) in the certificate.
  Other than the warning, there is no functional impact if the end user
  continues by accepting to proceed to the warning message.
  Condition:
  =========
  webvpn with load balancing is used
  Workaround:
  ===========
  1) downgrade to latest 7.2.2 interim (7.2.2.8 or later)
  Warning: configs are not backward compatible.
  2) upgrade to 8.0.2 interim (8.0.2.11 or later)

• Certificate Based Authentication - Questions and Authentication Modules

  Hi Everyone
  I'm trying to achieve a specific configuration using AM . I've installed the AM Server 7.1 on a AS9.1EE container and have another AS91EE container on another machine that has the agent configured.
  The AM server is using a DS rep for configurations and dynamic profiles and using a AD rep for authentication.
  What I now need to achieve is authentication base on one of these two way :
  - user and password authentication (which is working)
  - Certificate based authentication ( working on it )
  To configure the Cert. Auth I've started reconfiguring the containers and agent to work in SSL, as said in the manuals. The manuals also say that the containers must have "Client Authentication Enabled", they don't say which ( either the server or agent container or both ) . Also I assume that "Client Authentication Enabled" is refering to the Http Listener configuration of that container.
  When I enable it ( the Client Authentication ) on the http listener for either containers the https connection to that container stops working. In Firefox it simply prompts an error saying that the connection was "interrupted while the page was loading." . On IE, it prompts for a Certificate to be sent to the container and when I provide none, then it gives me the same error as Firefox. In both cases no page was presented.
  Basically what I need is for both authentication methods described before to work! So, asking the certificate ( specially if it wasn't the AM asking for it ) without giving the user a chance to use a user/password combination isn't what is wanted.
  From what I gathered the "Client Authentication" makes this http listener need a certificate to be presented always .
  So, my first question is : is the documentation correct? Does this "Client Authentication" thingy need to be enabled at the listener level?
  2- I'll probably need to code a costum module for this scenario I'm working in because of client requisits, but if possible I would like to use the provided module. Still, in case I need to make on, has anyone made a cert. auth module that they can provide me with so I have a working base to start with?
  3- Is there a tested how-to anywhere on how to configure Cert. Based Authentication?
  All for now,
  Thank you all for your help
  Rp

  Hi Rp,
  We are using AM 7.1 with Certificate Authentication and LDAP Authentication. To answer your question, yes it is possible to use both method at the same time i.e. Use certificate first and then fallback to LDAP.
  First you need to configure AM's webcontainer to accept the certificate. From your message it is clear that you have done that. The only mistake that you did is "made the Client Authentication required". I have done this in Sun WebServer 7.0 and Sun Application Server 7.0 (yeah that is old!!). You need to make the Client Authentication as optional. It means that Certificate will be transferred only when it is available otherwise Web Container will not ask for the Certificate. You will have to search Glassfish website or ASEE 9.1 manual to learn how to make the Client-Authentication Optional. You definitely need this authentication optional as Web Agent will be connecting to this AM and as far as I know they do not have any mechanism to do the Client Authentication.
  Secondly, In AM 7.1, you will have to Set up the Authentication chaining. Where you can make Certificate Module as Sufficient and LDAP module as REQUIRED.
  Thirdly, if you are using an non ocsp based certificate then change the ocsp checking in AMConfig.properties to false.
  Fourth, You may have to write a small custom code to get the profile from your external sources. (if you need to then I can tell you how).
  HTH,
  Vivek

• Certificate Based Authentication and SSL

  To whom it may concern,
  I have installed SJES on Solaris 9 x386 (intel version). Everything is running fine, the mails are also coming and going.
  Now, I need Certificate based authentication and SSL. I have downloaded versign.com trial certificate and have install it succesfully in the Messaging Server Console -- > Manage Certificates. The certificate is also visible in its tab.
  Next, I followed the documentation and enable ssl by using ./configutil utility. And also restarted the server.
  I am running my Messenger express (http) like this :
  http://testing.xyz.com:8100
  (I am using port 8100 for http access to mails). After restarting the mail server, I tried :
  https://testing.xyz.com:8100 also,
  http://testing.xyz.com:443 also,
  https://testing.xyz.com:443 also,
  but I cannot see the login page of the mail server. All the above mention url i tried and just given error "the connection was refused when attempting to contact testing.xyz.com. I CAN ONLY SEE THE LOGIN PAGE WHEN I WRITE THE OLD HTTP ADDRESS: i.e. http://testing.xyz.com:8100
  And I also checked the logs and the server is having no problem in starting and there is not a single word regarding SSL enabling in the logs.
  Please help me out, it's really a strange behaviour. I am using SunONE Messaging Server 6.0.
  Thanking you,
  Farhan Ahmed,
  System Engineer
  Dubai, UAE.

  Dear jay,
  I am pasting a line from imap and http logs ... i don't know what this error means and how to resolve it.
  [29/Dec/2004:14:42:45 +0100] testing imapd[888]: General Error: SSL initialization error: ASockSSL_Init: couldn't find cert Server-Cert (-8183)
  strange thing is that my certificate name is lowercase server-cert and also i can see in the GUI console the certificate name as lowercase and I have also set this parameter encryption.rsa.nssslpersonalityssl = server-cert (all lowercase), but the error in the log tells it as "Server-Cert" !!!! though it is "server-cert"
  i got this line from the http log:
  [29/Dec/2004:14:42:47 +0100] testing httpd[894]: General Error: SSL initialization error: ASockSSL_Init: couldn't find cert Server-Cert (-8183)
  I haven't missed the sslpassword.conf file step. I have placed the same password which i provided while generating the certificate request in the GUI.
  Help me out what this errors means and how to resolve them. I have also copied the cert7.db and key3.db to /opt/SUNWms*/config directory from the /var/opt/mps/serverroot/alias
  Thanking you,
  Farhan Ahmed,
  System Engineer,
  Dubai Internet City, Dubai, UAE.

• OWA and ActiveSync certificate based authentication

  I have Exchange 2013 CU3 installed and want to activate the certificate based authentication for ActiveSync and OWA. But I want to have the login without certificate as well for users without a certificate.
  I already found some information how to do that on Exchange 2010 and I already did all steps to activate it.
  But at one point I cant find anything to configure in Exchange 2013. So I have activated the AD certificate based authentication in ISS and configured the OWA folder in IIS to accept client certificates. This seems to work as I get asked to use the certificate
  when I open the OWA page. But then I am landing on the OWA login page where I have to enter username and password.
  So it seems that I am missing something. In the tutorials for Exchange 2010 they activate the certificate based authentication in the Management console. But I cant find anything in ECP to activate.
  Can anyone help me?

  Hi,
  We can create an additional Web Site in IIS to configure additional OWA and ECP virtual directory for external access. And configuring the Default Web Site for internal access.
  Then we can configure internal one with Integrated Windows authentication and Basic authentication while the external one configured for forms-based authentication of Domain\user name format. For more information about
  Configuring Multiple OWA/ECP Virtual Directories, we can refer to:
  https://blogs.technet.com/b/exchange/archive/2011/01/17/configuring-multiple-owa-ecp-virtual-directories-on-exchange-2010-client-access-server.aspx
  Thanks,
  Winnie Liang
  TechNet Community Support

• Certificate based protection and an error message

  We have several Windows 2003 servers in our untrusted domain which we backup with DPM using certificate based authentication. All but one appear to work without any problems.
  One which keeps failing throws the following error message which I am not able to make sense or find any information as to what to do next.
  Before the failure, Consistency check hangs for up to 10 minutes and fails with the following error:
  The DPM service was unable to communicate with the protection agent on W2003Server.dmz.domain.com. (ID 52 Details: The client and server cannot communicate, because they do not possess a common algorithm (0x80090331))
  Any ideas please?

  We are having the same exact issue at our company. If you have any idea on how to resolve this issue please post.
  Thanks

• Anyconnect 3.1 and user certificate-based authentication

  Hi experts,
  I'm trying to test a basic full tunnel VPN connection from Anyconnect 3.1 installed on a Windows 7 machine to a Cisco ASA, using only certificate authentication.
  Steps i took:
  1) I've created a Windows 2008 certificate authority for testing, and imported the root CA certificate into both the Windows 7 client and into Cisco ASA
  2) I generated a certificate signing request on the W7 client, got that signed by W2008 CA and imported the signed certificate into W7. Both user certificate and root CA are in the personal certificate store
  3) On ASA, I've also generated a certificate signing request, got that signed by W2008 CA and imported the signed certificate back in ASA
  I then used ASDM to configure ASA to support Anyconnect on its untrust interface.
  When I use Anyconnect on the W7 client to connect to ASA, I got "No valid certificates available for authentication" and "certificate validation failure" messages as seen in the below screenshot
  I can confirm that both user and root CA certificate exist in the personal certificate store
  The corresponding ASA configuration and debug output are shown in the attached txt file. On the ASA, I've made sure its ID certificate has CN=<public IP of ASA> since I don't have a DNS setup in place.
  Can anyone suggest what could be wrong with my setup?

  Problem has been fixed by using IP address instead of hostname in the Anyconnect Client profile, since I don't have a DNS setup in my environment.
  Once that is done I was able to connect and authenticate using user certificates.
  ASA1# sh vpn-sessiondb detail anycon
  Session Type: AnyConnect Detailed
  Username     : cisco                  Index        : 2
  Assigned IP  : 10.5.1.100             Public IP    : 10.3.1.10
  Protocol     : IKEv2 IPsecOverNatT AnyConnect-Parent
  License      : AnyConnect Premium
  Encryption   : AES256                 Hashing      : none SHA1
  Bytes Tx     : 0                      Bytes Rx     : 30758
  Pkts Tx      : 0                      Pkts Rx      : 195
  Pkts Tx Drop : 0                      Pkts Rx Drop : 0
  Group Policy : GroupPolicy_VPN-CP1    Tunnel Group : VPN-CP1
  Login Time   : 06:40:49 UTC Wed Feb 19 2014
  Duration     : 0h:07m:38s
  Inactivity   : 0h:00m:00s
  NAC Result   : Unknown
  VLAN Mapping : N/A                    VLAN         : none
  IKEv2 Tunnels: 1
  IPsecOverNatT Tunnels: 1
  AnyConnect-Parent Tunnels: 1
  AnyConnect-Parent:
    Tunnel ID    : 2.1
    Public IP    : 10.3.1.10
    Encryption   : none                   Auth Mode    : Certificate
    Idle Time Out: 30 Minutes             Idle TO Left : 22 Minutes
    Client Type  : AnyConnect
    Client Ver   : 3.1.05152
  IKEv2:
    Tunnel ID    : 2.2
    UDP Src Port : 50530                  UDP Dst Port : 4500
    Rem Auth Mode: Certificate
    Loc Auth Mode: rsaCertificate
    Encryption   : AES256                 Hashing      : SHA1
    Rekey Int (T): 86400 Seconds          Rekey Left(T): 85941 Seconds
    PRF          : SHA1                   D/H Group    : 5
    Filter Name  :
    Client OS    : Windows
  IPsecOverNatT:
    Tunnel ID    : 2.3
    Local Addr   : 0.0.0.0/0.0.0.0/0/0
    Remote Addr  : 10.5.1.100/255.255.255.255/0/0
    Encryption   : AES256                 Hashing      : SHA1
    Encapsulation: Tunnel
    Rekey Int (T): 28800 Seconds          Rekey Left(T): 28341 Seconds
    Rekey Int (D): 4608000 K-Bytes        Rekey Left(D): 4607970 K-Bytes
    Idle Time Out: 30 Minutes             Idle TO Left : 29 Minutes
    Bytes Tx     : 0                      Bytes Rx     : 31218
    Pkts Tx      : 0                      Pkts Rx      : 196
  NAC:
    Reval Int (T): 0 Seconds              Reval Left(T): 0 Seconds
    SQ Int (T)   : 0 Seconds              EoU Age(T)   : 459 Seconds
    Hold Left (T): 0 Seconds              Posture Token:
    Redirect URL :

• VPN and Certificates fun

  I've been trying to get the iPhone VPN to work with a self-signed cert to no avail. I generated the cert using Windows 2008r2 certificate services, exported the server and root and put into the ICU and my Cisco vpn (using ipsec of course).
  In the ICU VPN section, under Identifity Certificate, it doesn't seem to recognize that I have the certs loaded. Please see http://imgur.com/KypuN. The server name and certs match where they should, and I know I'm missing something obvious here, but just can't find the problem.
  Any help would be appreciated.

  I was able to find the issue. I have tested the Scenario with a Surface RT 8.1. I enrolled the device to SCCM/Intune and get a certficate with NDES. Then I have added a VPN Connection and try to connect. Windows ask for SmartCard. But
  the certficate isn't Smartcard. So I added second VPN Connection to a Microsoft VPN and try to connect with same certificate. No question about Smartcard and the connection is established fine. Than I could remind the Options of certficate profiles (TPM or
  Software Key Storage). I' ve selected TPM in my initial configuration. I changed it to Software Key Storage and reenroll to Intune to force certficate deployment. After receiving the new certificate I tried again on my Surface and the Juniper VPN Connection
  were established. I reenrolled my Windows Phone to Intune and after I received the new certificate I were able to connect my Windows Phone to Juniper VPN too.
  So I think the Problem is that the Juniper 3rd Party api is not allowed to access TPM or it is done the wrong way.
  I hope this helps.
  Kind regards
  Denis