Anyconnect 3.1 and certificate authentication

I am doing a proof of concept with anyconnect and certificate authentication. with 3.0 i was able to do this with a certificate from my CA and a client cert in a smartcard. I have upgraded to 3.1 and now it doesnt work anymore ( i need 3.1 and Asa 9.0 because of IPv6 Split-tunneling).
Reading the forum i got some info that the ASA cert must have a EKU value of 'Server Authentication' and the client cert must have a similar EKU (client Auth)
Is this mandatory or is there a way around this?

Just to add to this.
Anyconnect 3.1 started KU enforcement, but typically it will drop a warning you can accept (annoying but not blocking).
EKU, is something that for the time being ASA will not enforce, plus it's only needed to IKEv2/IPsec, AFAIR SSL will work without it unless there have been big changes I'm not aware of.
One can also argue EKU enforcement will not be strictly speaking enforced in future of IKEv2.
Vide:
http://tools.ietf.org/html/rfc4945
5.1.3.12. ExtendedKeyUsage
M.

Similar Messages

Mail for Exchange and certificate authentication -...

Okey, it works on Windows Mobile browser starting 2003 and Blackberry browser since 2007.
It's not working on these fancy linuxes (moo-boo or moeba or what it's name?)- but well, what else you can expect from poorly tested code with no compatibility or standards in mind?
I wonder what stopping Symbian to proper support certificates standarts, while they finally manage to support ActiveSync specification. Lazy programmers? Are they steal too much code from open source?
Nokia, your devices will never suceed, if you keep making ovi-style "features" instead of things people need to work better. We pay for you phones, do you remember that?

Go to your outlook web access website and click on the lock and then view certificate. The details and then you can save it in DER format to your desktop.
Then go to this site:
http://www.redelijkheid.com/symcaimport/ and insert through the browse button and then copy the link to your phone.
Then you should be able to download it
You can also go to your IIS default site on the exchange server and directory security and export your certificate under edit certificate.
I have tried everything now. I can download my certificate and the valicert from GoDaddy, but the Nokia phone is still saying "do you trust this certificate" every time the phone syncs.
Our firm have taken the E-phones away now and went over to windows mobile and all of them worked within 10 minutes without any errors.
The funny thing is that when you try to call nokia, they wont help you with Mail for Exchange, and it is there program
I know my GoDaddy certificate works on windows mobile phones, so It must be something with Mail for Exchange.
Every guy I talked to about symbian phones have told me they always gives problems with SSL. I am a bit **bleep**, but can conclude that Nokia is for the private consumer.
Best Regards
Morten @ Denmark
Message Edited by asp3200 on 02-May-2008 08:37 AM

SSL VPN with machine certificate authentication

Hi All,
I've configured a VPN profile for an Anyconnect VPN connection on my test environment. I've enabled AAA (RSA) and certificate authentication, configured the RSA servers correctly and uploaded the root and issuing certificates. I managed to get this working with machine certificates using a Microsoft PKI. With crypto debugging enabled I can see the CERT API thread wake up and correctly authenticate the certificate. So far so good....
Now I configured the same on our production environment and can't get it to work!! The anyconnect client shows an error: "certificate validation failure"
The strange thing is that the crypto debugging doesn't give me one single line of output. It looks like the certificate doesn't even reach the ASA. My question is, what is stopping the "CERT API thread" I mentioned before from waking up and validating the certificate?? Does someone have an explenation for that?
btw. We have other VPN configurations on the same production/live ASA's with certificate authentication the are working and show up in the debugging.
Thanks in advance for your help
Hardware is ASA5540, software version 8.2(5).
Some pieces of the configuration below:
group-policy VPN4TEST-Policy internal
group-policy VPN4TEST-Policy attributes
wins-server value xx.xx.xx.xx
dns-server value xx.xx.xx.xx
vpn-simultaneous-logins 1
vpn-idle-timeout 60
vpn-filter value VPN4TEST_allow_access
vpn-tunnel-protocol IPSec svc webvpn
group-lock none
ipsec-udp enable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
default-domain value cs.ad.klmcorp.net
vlan 44
nac-settings none
address-pools value VPN4TEST-xxx
webvpn
svc modules value vpngina
svc profiles value KLM-SSL-VPN-VPN4TEST
tunnel-group VPN4TEST-VPN type remote-access
tunnel-group VPN4TEST-VPN general-attributes
address-pool VPN4TEST-xxx
authentication-server-group RSA-7-Authent
default-group-policy VPN4TEST-Policy
tunnel-group VPN4TEST-VPN webvpn-attributes
authentication aaa certificate
group-alias VPN4TEST-ANYCONNECT enable

Forgot to mention, I'm using the same laptop in both situations (test and production). Tested with anyconnect versions 3.1.02.040 and 3.0.0.629.

Can we run AnyConnect using self signed certificates?

I have a lab that I want to build a laptop-to-ASA remote access tunnel, using AnyConnect.
I understand AnyConnect requires IKEV2, and certificates.
It does not allow for pre-shared passwords, like VPN-client.
Is there a way I can build the lab without getting a certificate?

AnyConnect does not require certificates if you use SSL VPN (vs. IKEv2 IPsec VPN). On an SSL VPN you can use local authentication on the ASA or external authentication to AD, LDAP, RADIUS, etc. (in addition to or instead of certificates).
If you want to use IKEv2 and certificate authentication you can use either the ASA itself the CA server or proxy (via SCEP) to an internal CA (e.g. a Windows servers with Certificate Services). There are some other possible methods (such as the way you asked about) but in my experience they are not commonly used as few users have the knowledge or desire to go that route. Most organizations using client certificates deploy them from an internal root CA.

Anyconnect web install getting certificate validation failure.

I have an ASA (8.4.5) configured with a connection profile that does AAA and Certificate authentication. Once I have the anyconnect 3.1 on a win Xp system, it works perfectly. When I do a web install, it goes through the normal download, log-in, re-download then says "Certificate Authentication Failure" If I change the profile to AAA only, it installs fine. I even get the error if I launch from the web after I have the client on the PC.
Any ideas why this is not working?
Sent from Cisco Technical Support iPad App

The client PC has a machine certificate. The ASA has a copy of the certificate from the CA that signed the machine cert. I am logging in with a user account not an admin account. Note that if anyconnect is installed on the client PC, I can use it to connect just fine. It's only the web install that fails. Below is the output of the debug crypto ca 255:
asa-vpn-1/act# CERT_API: Authenticate session 0x30c0bcbf, non-blocking cb=0x08eb6950
CERT API thread wakes up!
CERT_API: process msg cmd=0, session=0x30c0bcbf
CERT_API: Async locked for session 0x30c0bcbf
CRYPTO_PKI: Checking to see if an identical cert is
already in the database...
CRYPTO_PKI: looking for cert in handle=0x722e0784, digest=
89 c7 b4 60 20 08 0c a9 6f a0 49 67 6f f5 4e 51    | ...` ...o.Igo.NQ
CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND
CRYPTO_PKI: Cert not found in database.
CRYPTO_PKI: Looking for suitable trustpoints...
CRYPTO_PKI: crypto_pki_get_cert_record_by_subject()
CRYPTO_PKI: No suitable trustpoints found to validate certificate serial number: 607A635F4286368E4E977C7BFE1C17E6, subject name: cn=CiscoSecureDesktop, issuer name: cn=CiscoSecureDesktop .
CERT_API: calling user callback=0x08eb6950 with status=1
CERT_API: Close session 0x30c0bcbf asynchronously
CERT_API: Async unlocked for session 0x30c0bcbf
CERT_API: process msg cmd=1, session=0x30c0bcbf
CERT_API: Async locked for session 0x30c0bcbf
CERT_API: Async unlocked for session 0x30c0bcbf
CERT API thread sleeps!
CERT_API: Authenticate session 0x310022b5, non-blocking cb=0x08eb6950
CERT API thread wakes up!
CERT_API: process msg cmd=0, session=0x310022b5
CERT_API: Async locked for session 0x310022b5
CRYPTO_PKI: Checking to see if an identical cert is
already in the database...
CRYPTO_PKI: looking for cert in handle=0x722e0784, digest=
89 c7 b4 60 20 08 0c a9 6f a0 49 67 6f f5 4e 51    | ...` ...o.Igo.NQ
CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND
CRYPTO_PKI: Cert not found in database.
CRYPTO_PKI: Looking for suitable trustpoints...
CRYPTO_PKI: crypto_pki_get_cert_record_by_subject()
CRYPTO_PKI: No suitable trustpoints found to validate certificate serial number: 607A635F4286368E4E977C7BFE1C17E6, subject name: cn=CiscoSecureDesktop, issuer name: cn=CiscoSecureDesktop .
CERT_API: calling user callback=0x08eb6950 with status=1
CERT_API: Close session 0x310022b5 asynchronously
CERT_API: Async unlocked for session 0x310022b5
CERT_API: process msg cmd=1, session=0x310022b5
CERT_API: Async locked for session 0x310022b5
CERT_API: Async unlocked for session 0x310022b5
CERT API thread sleeps!
CERT_API: Authenticate session 0x314d3205, non-blocking cb=0x08eb6950
CERT API thread wakes up!
CERT_API: process msg cmd=0, session=0x314d3205
CERT_API: Async locked for session 0x314d3205
CRYPTO_PKI: Checking to see if an identical cert is
already in the database...
CRYPTO_PKI: looking for cert in handle=0x722e0784, digest=
ea dd 93 e8 d0 84 2a b6 8c 5f 9c ba e3 db 3e 9f    | ......*.._....>.
CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND
CRYPTO_PKI: Cert not found in database.
CRYPTO_PKI: Looking for suitable trustpoints...
CRYPTO_PKI: crypto_pki_get_cert_record_by_subject()
CRYPTO_PKI: No suitable trustpoints found to validate certificate serial number: 4398D2801DA922A24EDB059F3459001A, subject name: cn=CiscoSecureDesktop, issuer name: cn=CiscoSecureDesktop .
CERT_API: calling user callback=0x08eb6950 with status=1
CERT_API: Close session 0x314d3205 asynchronously
CERT_API: Async unlocked for session 0x314d3205
CERT_API: process msg cmd=1, session=0x314d3205
CERT_API: Async locked for session 0x314d3205
CERT_API: Async unlocked for session 0x314d3205
CERT API thread sleeps!
CERT_API: Authenticate session 0x31ad6583, non-blocking cb=0x08eb6950
CERT API thread wakes up!
CERT_API: process msg cmd=0, session=0x31ad6583
CERT_API: Async locked for session 0x31ad6583
CRYPTO_PKI: Checking to see if an identical cert is
already in the database...
CRYPTO_PKI: looking for cert in handle=0x722e0784, digest=
ea dd 93 e8 d0 84 2a b6 8c 5f 9c ba e3 db 3e 9f    | ......*.._....>.
CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND
CRYPTO_PKI: Cert not found in database.
CRYPTO_PKI: Looking for suitable trustpoints...
CRYPTO_PKI: crypto_pki_get_cert_record_by_subject()
CRYPTO_PKI: No suitable trustpoints found to validate certificate serial number: 4398D2801DA922A24EDB059F3459001A, subject name: cn=CiscoSecureDesktop, issuer name: cn=CiscoSecureDesktop .
CERT_API: calling user callback=0x08eb6950 with status=1
CERT_API: Close session 0x31ad6583 asynchronously
CERT_API: Async unlocked for session 0x31ad6583
CERT_API: process msg cmd=1, session=0x31ad6583
CERT_API: Async locked for session 0x31ad6583
CERT_API: Async unlocked for session 0x31ad6583
CERT API thread sleeps!
CERT_API: Authenticate session 0x31c167bb, non-blocking cb=0x08eb6950
CERT API thread wakes up!
CERT_API: process msg cmd=0, session=0x31c167bb
CERT_API: Async locked for session 0x31c167bb
CRYPTO_PKI: Checking to see if an identical cert is
already in the database...
CRYPTO_PKI: looking for cert in handle=0x722e0784, digest=
ea dd 93 e8 d0 84 2a b6 8c 5f 9c ba e3 db 3e 9f    | ......*.._....>.
CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND
CRYPTO_PKI: Cert not found in database.
CRYPTO_PKI: Looking for suitable trustpoints...
CRYPTO_PKI: crypto_pki_get_cert_record_by_subject()
CRYPTO_PKI: No suitable trustpoints found to validate certificate serial number: 4398D2801DA922A24EDB059F3459001A, subject name: cn=CiscoSecureDesktop, issuer name: cn=CiscoSecureDesktop .
CERT_API: calling user callback=0x08eb6950 with status=1
CERT_API: Close session 0x31c167bb asynchronously
CERT_API: Async unlocked for session 0x31c167bb
CERT_API: process msg cmd=1, session=0x31c167bb
CERT_API: Async locked for session 0x31c167bb
CERT_API: Async unlocked for session 0x31c167bb
CERT API thread sleeps!
CERT_API: Authenticate session 0x3209b801, non-blocking cb=0x08eb6950
CERT API thread wakes up!
CERT_API: process msg cmd=0, session=0x3209b801
CERT_API: Async locked for session 0x3209b801
CRYPTO_PKI: Checking to see if an identical cert is
already in the database...
CRYPTO_PKI: looking for cert in handle=0x722e0784, digest=
cd 3d c6 c8 d4 8d ba 85 75 9b 28 9e 7a e0 97 0f    | .=......u.(.z...
CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND
CRYPTO_PKI: Cert not found in database.
CRYPTO_PKI: Looking for suitable trustpoints...
CRYPTO_PKI: crypto_pki_get_cert_record_by_subject()
CRYPTO_PKI: No suitable trustpoints found to validate certificate serial number: 0B0D7E1CE0870FBE483AFFF974C43AD7, subject name: cn=CiscoSecureDesktop, issuer name: cn=CiscoSecureDesktop .
CERT_API: calling user callback=0x08eb6950 with status=1
CERT_API: Close session 0x3209b801 asynchronously
CERT_API: Async unlocked for session 0x3209b801
CERT_API: process msg cmd=1, session=0x3209b801
CERT_API: Async locked for session 0x3209b801
CERT_API: Async unlocked for session 0x3209b801
CERT API thread sleeps!
CERT_API: Authenticate session 0x3266eb61, non-blocking cb=0x08eb6950
CERT API thread wakes up!
CERT_API: process msg cmd=0, session=0x3266eb61
CERT_API: Async locked for session 0x3266eb61
CRYPTO_PKI: Checking to see if an identical cert is
already in the database...
CRYPTO_PKI: looking for cert in handle=0x722e0784, digest=
cd 3d c6 c8 d4 8d ba 85 75 9b 28 9e 7a e0 97 0f    | .=......u.(.z...
CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND
CRYPTO_PKI: Cert not found in database.
CRYPTO_PKI: Looking for suitable trustpoints...
CRYPTO_PKI: crypto_pki_get_cert_record_by_subject()
CRYPTO_PKI: No suitable trustpoints found to validate certificate serial number: 0B0D7E1CE0870FBE483AFFF974C43AD7, subject name: cn=CiscoSecureDesktop, issuer name: cn=CiscoSecureDesktop .
CERT_API: calling user callback=0x08eb6950 with status=1
CERT_API: Close session 0x3266eb61 asynchronously
CERT_API: Async unlocked for session 0x3266eb61
CERT_API: process msg cmd=1, session=0x3266eb61
CERT_API: Async locked for session 0x3266eb61
CERT_API: Async unlocked for session 0x3266eb61
CERT API thread sleeps!
CERT_API: Authenticate session 0x328359af, non-blocking cb=0x08eb6950
CERT API thread wakes up!
CERT_API: process msg cmd=0, session=0x328359af
CERT_API: Async locked for session 0x328359af
CRYPTO_PKI: Checking to see if an identical cert is
already in the database...
CRYPTO_PKI: looking for cert in handle=0x722e0784, digest=
cd 3d c6 c8 d4 8d ba 85 75 9b 28 9e 7a e0 97 0f    | .=......u.(.z...
CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND
CRYPTO_PKI: Cert not found in database.
CRYPTO_PKI: Looking for suitable trustpoints...
CRYPTO_PKI: crypto_pki_get_cert_record_by_subject()
CRYPTO_PKI: No suitable trustpoints found to validate certificate serial number: 0B0D7E1CE0870FBE483AFFF974C43AD7, subject name: cn=CiscoSecureDesktop, issuer name: cn=CiscoSecureDesktop .
CERT_API: calling user callback=0x08eb6950 with status=1
CERT_API: Close session 0x328359af asynchronously
CERT_API: Async unlocked for session 0x328359af
CERT_API: process msg cmd=1, session=0x328359af
CERT_API: Async locked for session 0x328359af
CERT_API: Async unlocked for session 0x328359af
CERT API thread sleeps!
CERT_API: Authenticate session 0x32c7c677, non-blocking cb=0x08eb6950
CERT API thread wakes up!
CERT_API: process msg cmd=0, session=0x32c7c677
CERT_API: Async locked for session 0x32c7c677
CRYPTO_PKI: Checking to see if an identical cert is
already in the database...
CRYPTO_PKI: looking for cert in handle=0x722e0784, digest=
cd 3d c6 c8 d4 8d ba 85 75 9b 28 9e 7a e0 97 0f    | .=......u.(.z...
CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND
CRYPTO_PKI: Cert not found in database.
CRYPTO_PKI: Looking for suitable trustpoints...
CRYPTO_PKI: crypto_pki_get_cert_record_by_subject()
CRYPTO_PKI: No suitable trustpoints found to validate certificate serial number: 0B0D7E1CE0870FBE483AFFF974C43AD7, subject name: cn=CiscoSecureDesktop, issuer name: cn=CiscoSecureDesktop .
CERT_API: calling user callback=0x08eb6950 with status=1
CERT_API: Close session 0x32c7c677 asynchronously
CERT_API: Async unlocked for session 0x32c7c677
CERT_API: process msg cmd=1, session=0x32c7c677
CERT_API: Async locked for session 0x32c7c677
CERT_API: Async unlocked for session 0x32c7c677
CERT API thread sleeps!
CERT_API: Authenticate session 0x3305560d, non-blocking cb=0x08eb6950
CERT API thread wakes up!
CERT_API: process msg cmd=0, session=0x3305560d
CERT_API: Async locked for session 0x3305560d
CRYPTO_PKI: Checking to see if an identical cert is
already in the database...
CRYPTO_PKI: looking for cert in handle=0x722e0784, digest=
cd 3d c6 c8 d4 8d ba 85 75 9b 28 9e 7a e0 97 0f    | .=......u.(.z...
CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND
CRYPTO_PKI: Cert not found in database.
CRYPTO_PKI: Looking for suitable trustpoints...
CRYPTO_PKI: crypto_pki_get_cert_record_by_subject()
CRYPTO_PKI: No suitable trustpoints found to validate certificate serial number: 0B0D7E1CE0870FBE483AFFF974C43AD7, subject name: cn=CiscoSecureDesktop, issuer name: cn=CiscoSecureDesktop .
CERT_API: calling user callback=0x08eb6950 with status=1
CERT_API: Close session 0x3305560d asynchronously
CERT_API: Async unlocked for session 0x3305560d
CERT_API: process msg cmd=1, session=0x3305560d
CERT_API: Async locked for session 0x3305560d
CERT_API: Async unlocked for session 0x3305560d
CERT API thread sleeps!
CERT_API: Authenticate session 0x3378de7d, non-blocking cb=0x08eb6950
CERT API thread wakes up!
CERT_API: process msg cmd=0, session=0x3378de7d
CERT_API: Async locked for session 0x3378de7d
CRYPTO_PKI: Checking to see if an identical cert is
already in the database...
CRYPTO_PKI: looking for cert in handle=0x722e0784, digest=
cd 3d c6 c8 d4 8d ba 85 75 9b 28 9e 7a e0 97 0f    | .=......u.(.z...
CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND
CRYPTO_PKI: Cert not found in database.
CRYPTO_PKI: Looking for suitable trustpoints...
CRYPTO_PKI: crypto_pki_get_cert_record_by_subject()
CRYPTO_PKI: No suitable trustpoints found to validate certificate serial number: 0B0D7E1CE0870FBE483AFFF974C43AD7, subject name: cn=CiscoSecureDesktop, issuer name: cn=CiscoSecureDesktop .
CERT_API: calling user callback=0x08eb6950 with status=1
CERT_API: Close session 0x3378de7d asynchronously
CERT_API: Async unlocked for session 0x3378de7d
CERT_API: process msg cmd=1, session=0x3378de7d
CERT_API: Async locked for session 0x3378de7d
CERT_API: Async unlocked for session 0x3378de7d
CERT API thread sleeps!

Anyconnect 3.1 and user certificate-based authentication

Hi experts,
I'm trying to test a basic full tunnel VPN connection from Anyconnect 3.1 installed on a Windows 7 machine to a Cisco ASA, using only certificate authentication.
Steps i took:
1) I've created a Windows 2008 certificate authority for testing, and imported the root CA certificate into both the Windows 7 client and into Cisco ASA
2) I generated a certificate signing request on the W7 client, got that signed by W2008 CA and imported the signed certificate into W7. Both user certificate and root CA are in the personal certificate store
3) On ASA, I've also generated a certificate signing request, got that signed by W2008 CA and imported the signed certificate back in ASA
I then used ASDM to configure ASA to support Anyconnect on its untrust interface.
When I use Anyconnect on the W7 client to connect to ASA, I got "No valid certificates available for authentication" and "certificate validation failure" messages as seen in the below screenshot
I can confirm that both user and root CA certificate exist in the personal certificate store
The corresponding ASA configuration and debug output are shown in the attached txt file. On the ASA, I've made sure its ID certificate has CN=<public IP of ASA> since I don't have a DNS setup in place.
Can anyone suggest what could be wrong with my setup?

Problem has been fixed by using IP address instead of hostname in the Anyconnect Client profile, since I don't have a DNS setup in my environment.
Once that is done I was able to connect and authenticate using user certificates.
ASA1# sh vpn-sessiondb detail anycon
Session Type: AnyConnect Detailed
Username     : cisco                  Index        : 2
Assigned IP : 10.5.1.100             Public IP    : 10.3.1.10
Protocol     : IKEv2 IPsecOverNatT AnyConnect-Parent
License      : AnyConnect Premium
Encryption   : AES256                 Hashing      : none SHA1
Bytes Tx     : 0                      Bytes Rx     : 30758
Pkts Tx      : 0                      Pkts Rx      : 195
Pkts Tx Drop : 0                      Pkts Rx Drop : 0
Group Policy : GroupPolicy_VPN-CP1    Tunnel Group : VPN-CP1
Login Time   : 06:40:49 UTC Wed Feb 19 2014
Duration     : 0h:07m:38s
Inactivity   : 0h:00m:00s
NAC Result   : Unknown
VLAN Mapping : N/A                    VLAN         : none
IKEv2 Tunnels: 1
IPsecOverNatT Tunnels: 1
AnyConnect-Parent Tunnels: 1
AnyConnect-Parent:
Tunnel ID    : 2.1
Public IP    : 10.3.1.10
Encryption   : none                   Auth Mode    : Certificate
Idle Time Out: 30 Minutes             Idle TO Left : 22 Minutes
Client Type : AnyConnect
Client Ver   : 3.1.05152
IKEv2:
Tunnel ID    : 2.2
UDP Src Port : 50530                  UDP Dst Port : 4500
Rem Auth Mode: Certificate
Loc Auth Mode: rsaCertificate
Encryption   : AES256                 Hashing      : SHA1
Rekey Int (T): 86400 Seconds          Rekey Left(T): 85941 Seconds
PRF          : SHA1                   D/H Group    : 5
Filter Name :
Client OS    : Windows
IPsecOverNatT:
Tunnel ID    : 2.3
Local Addr   : 0.0.0.0/0.0.0.0/0/0
Remote Addr : 10.5.1.100/255.255.255.255/0/0
Encryption   : AES256                 Hashing      : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds          Rekey Left(T): 28341 Seconds
Rekey Int (D): 4608000 K-Bytes        Rekey Left(D): 4607970 K-Bytes
Idle Time Out: 30 Minutes             Idle TO Left : 29 Minutes
Bytes Tx     : 0                      Bytes Rx     : 31218
Pkts Tx      : 0                      Pkts Rx      : 196
NAC:
Reval Int (T): 0 Seconds              Reval Left(T): 0 Seconds
SQ Int (T)   : 0 Seconds              EoU Age(T)   : 459 Seconds
Hold Left (T): 0 Seconds              Posture Token:
Redirect URL :

SSLVPN with iPhone Anyconnect and Cisco IOS Router, Certificate Authentication failed

Hello,
i have a problem regarding the authentication with a certificate from the iPhone Anyconnect 2.5 Client to a 1802 Cisco Router.
Cisco 1802 Router:
Cisco IOS Software, C180X Software (C180X-ADVENTERPRISEK9-M), Version 15.1(1)T, RELEASE SOFTWARE (fc1)
First i configured SSLVPN with username and password, in this configuration the Anyconnect Client of my iPhone works.
then i enrolled a certificate from my Windows 2008 R2 CA to the Router with the Attributes: Server Authentication and IPSEC
and i enrolled a certificate for my iPhone with Client Authentication and IPSEC
after a bunch of time ( i realy could not find a really good documentation on how to do this) i got it done, in the webvpn context configuration i made this changes here:
no aaa authentication list default
authentication certificate
ca trustpoint CA
as the "SSL VPN Configuration Guide, Cisco IOS Release 15.1M&T" says: if i want only certificate authentication i had to user the "authentication certificate" command and thats it.
as i look into the debugs it seems to me that the Router accepts the certificate of the iPhone, but then i receive a window on the iphone that wants an additional username and password authentication, and no matter what i enter there's always the same dialog coming back..
any ideas what the problem could be???
here is the configuration:
webvpn gateway WEBVPN_GW_OFFICE2
ip interface Dialer0 port 1444
ssl trustpoint CA
inservice
webvpn install svc flash:/webvpn/sslclient-win-1.1.4.179.pkg sequence 1
webvpn install svc flash:/webvpn/anyconnect-win-3.0.4235-k9.pkg sequence 2
webvpn install svc flash:/webvpn/anyconnect-dart-win-2.5.3055-k9.pkg sequence 3
webvpn context WEBVPN_CONTEXT2
secondary-color white
title-color #669999
text-color black
ssl authenticate verify all
policy group WEBVPN_POLICY2
   functions svc-enabled
   mask-urls
   svc address-pool "SSLVPN_OFFICE1"
   svc default-domain "domain.internal"
   svc keep-client-installed
   svc split include 192.168.0.0 255.255.0.0
   svc dns-server primary 192.168.53.33
   svc dns-server secondary 192.168.53.35
virtual-template 3
default-group-policy WEBVPN_POLICY2
gateway WEBVPN_GW_OFFICE2
authentication certificate
ca trustpoint CA
inservice
here is the debug:
OfficeRouter1# PASSING appctx is [0x89FAFFCC]
Nov 19 22:39:53.507: WV: sslvpn process rcvd context queue event
Nov 19 22:39:53.507: WV: sslvpn process rcvd context queue event
Nov 19 22:39:53.607: WV: sslvpn process rcvd context queue event
Nov 19 22:39:53.607: WV: Entering APPL with Context: 0x86529380,
      Data buffer(buffer: 0x86543A40, data: 0x15A07AB8, len: 469,
      offset: 0, domain: 0)
Nov 19 22:39:53.607: WV: http request: / with no cookie
Nov 19 22:39:53.607: WV: validated_tp : CA cert_username : matched_ctx :
Nov 19 22:39:53.607: WV: Received appinfo
validated_tp : CA, matched_ctx : ,cert_username :
Nov 19 22:39:53.607: WV: Trustpoint match successful
Nov 19 22:39:53.607: WV: Extracted username: pass: ?
Nov 19 22:39:53.607: WV: Client side Chunk data written..
buffer=0x86543640 total_len=661 bytes=661 tcb=0x8811FE60
Nov 19 22:39:53.607: WV: Appl. processing Failed : 2
Nov 19 22:39:53.607: WV: sslvpn process rcvd context queue event
BueroRouter1# PASSING appctx is [0x89FAEEC4]
Nov 19 22:40:24.028: WV: sslvpn process rcvd context queue event
Nov 19 22:40:24.032: WV: sslvpn process rcvd context queue event
Nov 19 22:40:24.132: WV: sslvpn process rcvd context queue event
Nov 19 22:40:24.132: WV: Entering APPL with Context: 0x86529380,
      Data buffer(buffer: 0x86543A40, data: 0x160C4038, len: 469,
      offset: 0, domain: 0)
Nov 19 22:40:24.132: WV: http request: / with no cookie
Nov 19 22:40:24.132: WV: validated_tp : CA cert_username : matched_ctx :
Nov 19 22:40:24.132: WV: Received appinfo
validated_tp : CA, matched_ctx : ,cert_username :
Nov 19 22:40:24.132: WV: Trustpoint match successful
Nov 19 22:40:24.132: WV: Extracted username: pass: ?
Nov 19 22:40:24.132: WV: Client side Chunk data written..
buffer=0x86543640 total_len=661 bytes=661 tcb=0x88D11EEC
Nov 19 22:40:24.136: WV: Appl. processing Failed : 2
Nov 19 22:40:24.136: WV: sslvpn process rcvd context queue event
Nov 19 22:40:39.764: WV: sslvpn process rcvd context queue event
Nov 19 22:40:39.880: WV: sslvpn process rcvd context queue event
Nov 19 22:40:39.892: WV: sslvpn process rcvd context queue event
Nov 19 22:40:39.892: WV: Entering APPL with Context: 0x86529380,
      Data buffer(buffer: 0x86543A40, data: 0x1616FD38, len: 610,
      offset: 0, domain: 0)
Nov 19 22:40:39.892: WV: http request: /webvpn.html with domain cookie
Nov 19 22:40:39.892: WV: validated_tp : cert_username : matched_ctx :
Nov 19 22:40:39.892: WV: Received appinfo
validated_tp : CA, matched_ctx : ,cert_username :
Nov 19 22:40:39.892: WV: Trustpoint match successful
Nov 19 22:40:39.892: WV: Client side Chunk data written..
buffer=0x86543640 total_len=607 bytes=607 tcb=0x88D11EEC
Nov 19 22:40:39.892: WV: Appl. processing Failed : 2
Nov 19 22:40:39.892: WV: sslvpn process rcvd context queue event

http://www.cisco.com/en/US/products/ps8411/products_qanda_item09186a00809aec31.shtml
HI,
Refer to
AnyConnect VPN Client FAQ
Q. Is it possible to connect the iPad, iPod, or iPhone AnyConnect VPN Client to a Cisco IOS router?
A. No. It is not possible to connect the iPad, iPod, or iPhone AnyConnect VPN Client to a Cisco IOS router. AnyConnect on iPad/iPhone can connect only to an ASA that runs version 8.0(3).1 or later. Cisco IOS is not supported by the AnyConnect VPN Client for Apple iOS. For more information, refer to the Security Appliances and Software Supported section of the Release Notes for Cisco AnyConnect Secure Mobility Client 2.4, Apple iOS 4.2 and 4.3.

Client certificate authentication fails when the CA list sent by server is big and the list goes in 2 encrypted messages.

I checked with IE browser(on windows and MAC) and MAC safari packet capture. The CA certificate list is sent by server in 2 messages as the list is too big. I compared packet by packet exchanges in both the browsers. It is same till TLSv1 handshake is done for the ldap certificate authentication. It works fine in IE without any issues though the certificate list is divided into 2 messages.
In case of safari, after the TLSv1 handshake is done successfully, it again sends a SSLv3 'Client Hello' message and initiates the whole handshake process again and the server responds to it too till the handshake is complete. But it brakes after that with the server showing 'Cant establish secure connection' at the browser.
The issue occurs only in case of MAC safari for big list of CA certs >150(where it crosses the max limit) from server. It is not clear why safari alone is switching from TLSv1 to SSLv3 in this scenario.
NOTE: With shorter list of CA certs at server when it goes in one message, safari works fine and all messages are only TLSv1 and does not repeat the handshake process.
I have checked on safari version 5 and 6.0.3 on OS X mountain lion.
Is there any specific reason why MAC safari behaves like this or somethings needs to be done at server?
Any help would be appreciated.

I checked with IE browser(on windows and MAC) and MAC safari packet capture. The CA certificate list is sent by server in 2 messages as the list is too big. I compared packet by packet exchanges in both the browsers. It is same till TLSv1 handshake is done for the ldap certificate authentication. It works fine in IE without any issues though the certificate list is divided into 2 messages.
In case of safari, after the TLSv1 handshake is done successfully, it again sends a SSLv3 'Client Hello' message and initiates the whole handshake process again and the server responds to it too till the handshake is complete. But it brakes after that with the server showing 'Cant establish secure connection' at the browser.
The issue occurs only in case of MAC safari for big list of CA certs >150(where it crosses the max limit) from server. It is not clear why safari alone is switching from TLSv1 to SSLv3 in this scenario.
NOTE: With shorter list of CA certs at server when it goes in one message, safari works fine and all messages are only TLSv1 and does not repeat the handshake process.
I have checked on safari version 5 and 6.0.3 on OS X mountain lion.
Is there any specific reason why MAC safari behaves like this or somethings needs to be done at server?
Any help would be appreciated.

Considerations for 802.1x Port Based and Wi-Fi Certificate Authentication

Lately, we have been going back and for with the thought of doing certificate authentication for Wi-Fi and Port. We have Server 2012 PKI and CA and it seems fairly straight forward to pump out a certificate to a user and have them authenticate with their
certificate to a RADIUS/NPS. However, every time I mention our thoughts with consultants or others they seem to cringe saying that they've seen this deployment cripple networks.
We have almost 50 branch retail locations (with hub-spoke topology - all have VPN tunnels to corporate and also a disaster recovery location) and their internet isn't always super stable and they absolutely need to have network access at all times because
they are running Point Of Sale. Right now, if their internet fails, they can remain functional because we have the necessary pieces at all locations to keep a Windows network going but I'm afraid that if we force 802.1x certificate authentication for the switch
ports and Wi-Fi that if their internet goes down, they won't be able to authenticate since the authentication server will be at corporate. I am curious as to how people deal with:
1. Fail over to a disaster recovery authentication server if Corporate connection goes down
and:
2. If internet fails locally and can no longer communicate with any authentication server. Is there some sort of scale-out? It seems complicated since (if I'm not mistaken) it needs access to the CRL to validate certificates and also a Network Policy Server
for the authentication and so on.
What we're really trying to accomplish is to prevent people from bringing in a laptop or device with an Ethernet port and removing an existing device and plugging into the port in its place. MAC filtering doesn't seem like a good solution on a large scale,
nor a super secure option so it seemed like 802.1x certificate seemed to be the most flexible without having to go full NAP/NAC. Anyhow, sorry for the lengthy post and I really appreciate your time in advance!

Re-authentication could be triggered by the NPS, the switch / AP or the client:
NPS: There is a bunch of attributes to be configured in the Network Policy that determine the time a machine can remain connected such as Idle Timeout and Session Timeout. (When WEP was still common the session timeout had been used to enforce
a change of the insecure key.) Otherwise, the machine should remain connected as far as NPS is concerned.
Switch / AP: Depends on the configuration, e.g. re-authentication has to be triggered if the link went down. If a user plugs a cable or accidentally disable WLAN on his machine when the internet link he will not be able to reconnect.
Then I have seen some options similar to the NPS options, and switches could have their own session timeouts or be configured for respecting the radius server's setting.
Client: The term "re-authentication" is also used happens if you have to / want to use both machine and user authentication: When the machine starts up, the machine account is authenticated; when the user logs on the user is authenticated;
when the user logs off the machine is authenticated again. Per GPO you configure the machines for this kind of re-authentication (the default) or use machine-only or user-only authentication instead.
It might be a challenge to manage and test these settings if you have to support many different APs / switches and different WLAN devices.
I would recommend to carefully test it with a pilot group of users.
Would you have any chance to turn off 802.1x on the switches / APs in case of a major outage? I guess not as you would be able to manage them remotely?

6.1 SP 2 certificate authenticator fails with Apache plugin and SSL

Hi,
Does anybody have a certificate authenticator working in WebLogic 6.1
SP 2, in combination with the Apache HTTP Server plugin and SSL?
We implemented a certificate authenticator that works correctly in
WebLogic 6.1 SP 2 when we configure SSL with "Client Certificate
Required", and access it directly from a browser (the browser hits the
SSL port of the WebLogic server, like 7002).
This certificate authenticator also works correctly with a proxy web
server. We set up a Stronghold server (web server based on Apache) on
Linux with the Apache HTTP Server plugin from BEA, configured the
plugin to use SSL, and configured our WebLogic 6.1 SP 1 server without
"Client Certificate Required". The certificate authenticator gets the
end user's certificate correctly.
This same architecture with the proxy web server does not work when we
upgrade the WebLogic Server to SP 2. WebLogic Server logs the
"incorrect or missing client cert" error, our certificate
authenticator is never called, and the browser gets a 401 Unauthorized
error.
We looked all over the WebLogic 6.1 SP 2 installation for a newer
version of the plugin (mod_wl_ssl.so) and found the same version as SP
1. We double-checked that it was the Linux-specific installer
(because we'd found that some Linux libraries are missing from the
generic installer). So it appears to us that the plugin encodes the
certificate in the request header in such a way that a SP 1 server can
extract it, but an SP 2 server cannot. We were wondering whether
there might be changes to the plugin to stay in step with the SP 2
server that never got ported to Linux, or whether an updated Linux
plugin never got included in the installer packages.
So: has anybody gotten a system like
Apache/Stronghold + WebLogic Plugin <-- SSL --> WebLogic 6.1 SP 2 +
Cert Auth
to work?
Thanks in advance for any help,
Jim Doyle
[email protected]

A correction, I think:
Now that I rolled back a system to 6.1 SP 1, it looks like 6.1 SP 1
does include a different mod_wl_ssl.so from that in SP 2. I believe I
was comparing the wrong file. In fact, trying to compare versions of
the mod_wl_ssl.so makes things rather confusing:
A mod_wl_ssl.so from a straight weblogic610sp2_generic.zip install has
a cksum of "1853014778 1132467".
A mod_wl_ssl.so from a weblogic610sp1_generic.zip install with a
subsequent SP 2 upgrade install has a cksum of "1350917183 1147927".
A mod_wl_ssl.so from a plain 6.1 install with subsequent SP 1 and SP 2
upgrade installs, followed by an SP 2 uninstall and another SP 1
upgrade install, has a cksum of "1471948065 1136501".
I think I may be looking at three different plugin versions here: 6.1,
6.1 SP 1, and 6.1 SP 2, assuming the upgrade installs don't actually
change mod_wl_ssl.so. I'm not sure whether there's an easier way to
verify what version of the plugin you have.
In any case, we did try each plugin version, and none of them works
against a 6.1 SP 2 WebLogic server.
Jim
[email protected] (Jim Doyle) wrote in message news:<[email protected]>...
[snip]
We looked all over the WebLogic 6.1 SP 2 installation for a newer
version of the plugin (mod_wl_ssl.so) and found the same version as SP
1. We double-checked that it was the Linux-specific installer
(because we'd found that some Linux libraries are missing from the
generic installer). [snip]

SSL Certificate and SSL Authentication

Hi-
I'm hoping someone can shed some light on this issue.
First off, is there a difference between SSL Certificate and SSL Authentication?
I have a POP account. The Incoming port is set to 110. The Outgoing, 26. (This is according to Bluehost.com). The security settings for both incoming/outgoing are set to none. Everything works fine.
But if I want extra security, I'll set the incoming to 995 and outgoing to 465.
If I set the security settings to SSL, do I check "Use secure authentication", or do I have to purchase a SSL certificate to secure the authentication? This is where I'm confused. I tried asking the hosting company but they're not much help.
Any advice would be appreciated.
Thanks!

Hi Imagine,
You do not need to purchase your own SSL certificate to use secure authentication. The server handles this for you. You just need to make sure the port #s are correct and you simply check mark the SSL boxes and leave authentication on Password at least on most setups. Each host maybe different so you have to double check with them.
Hope That Helps,
Eric

AnyConnect 3.1 and Mac OS 10.8

We are having trouble getting Mac OS10.8 systems to connect via AnyConnect 3.1 clients. We have not tested with anything but the 3.1 client, and when I say trouble I do not mean it cannot connect, it just connects and throws up a cert error in the client. The message states "Security Warning: Untrusted VPN server certificate".. Then it states below that in the warning window the following: "Certificate not identified for this purpose". When we go to the VPN's URL in Safari, there are no cert errors at all, Only when we start the connection with AnyConnect client. We have not yet tested with the Windows version of this AnyConnect client, but we have 1K+ Windows clients running AnyConnect2.5.6005 that connect without issue. We know the cert is valid so I am asking for help identifying why the AnyConnect 3.1 for Mac is throwing out this security warning for our test users. Any help would be greatly appreciated.

Hi there
This is most likely due to:
CSCty61472 Bug Details
DOC: Anyconnect supports specific Extended Key Usage attributes in certs
Symptom:
When using certificates with the anyconnect client if the certificate installed on the ASA doesn't have the EKU attribute set to "server-authentication" then the anyconnect client will reject the ASA's certificate as invalid. Similarly the client's id certificate also needs to be "client-authentication" otherwise the ASA will reject it..
Conditions:
Use an id certificate on the ASA that has an EKU other than "server-authentication".
Use an id certificate on the client that has an EKU other than "client-authentication".
Workaround:
Generate a new ID certificate with the correct Extended Key Usage
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCty61472
CSCua89081 Bug Details
DOC: specific Extended Key Usage rqrd in client certs for some 3.0 vers.
Symptom:
When using certificates with the anyconnect client if the client certificate doesn't have an EKU defined or very specific EKUs then the connection will be rejected.
Conditions:
Use an id certificate on the client that doesn't have an EKU
Workaround:
1. Generate a new ID certificate with the correct Extended Key Usage.
or
2. define an explicit cert matching policy in the client profile.
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCua89081
Please verify your certificate and make sure it has valid EKU (Extended Key usage) and KU (key usage).
HTH.
Portu.
Please rate any helpful posts

Cisco ISE - EAP-TLS - Machine / User Authentication - Multiple Certificate Authentication Profiles (CAP)

Hello,
I'm trying to do machine and user authentication using EAP-TLS and digital certificates. Machines have certificates where the Principal Username is SAN:DNS, user certificates (smartcards) use SAN:Other Name as the Principal Username.
In ISE, I can define multiple Certificate Authentication Profiles (CAP). For example CAP1 (Machine) - SAN:DNS, CAP2 (User) - SAN:Other Name
Problem is how do you specify ISE to check both in the Authentication Policy? The Identity Store Sequence only accepts one CAP, so if I created an authentication policy for Dot1x to check CAP1 -> AD -> Internal, it will match the machine cert, but fail on user cert.
Any way to resolve this?
Thanks,
Steve

You need to use the AnyConnect NAM supplicant on your windows machines, and use the feature called eap-chaining for that, windows own supplicant won't work.
an example (uses user/pass though, but same concept)
http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_80_eapchaining_deployment.pdf

EAP-TLS User and machine authentication question

Hello,
i have a question regarding EAP TLS authentication in a wireless environment. We use Cisco AnyConnect NAM client and an ACS 5.1 to do EAP-TLS authentification. The Laptop and the user can be successfully authenticated using a certificate from our internal CA. i can also check the in our corporate AD if the user and machine are member of a certain group and based on the membership a can grant access to the network.
i can see in the ACS when the laptops after a reboot logs on to the network, but i don't see a log when the laptop comes back from hibernate mode, i guess this is normal because the laptop sends only the autentication equest after rebooting.
What i'd like to achive is, when a user logs on the it should always be checked if the machine was authenticated prior the user can get access to the network. Is there a way to do this with EAP-TLS and a LDAP connection to Active Directory.
thanks in advanced
alex

Sounds like you rather want to use PEAP/MSChapV2

AAA and Certificate Based VPN

We have a pair of 5520 firewalls with a traditional setup of AAA vpn authenication on the backend. We are looking to do some proof of concepts with a certificate based VPN and the Anyconnect client on startup.
To set this up, I have my existing VPN profile that has AAA authenciation and created a new VPN profile for cerificate based authenication. I also have the ASA setup so the user is allowed to choose which profile they want to connect to.
However, once I create my cerificate based VPN profile any client that doesn't have a certificate fails to connect because they don't have a valid cerficate without having the option to choose the AAA only profile. If a machine does have a certificate, they then get the option to choose AAA or Cerficate based profile.
Is there any way to setup the ASA to accept clients without a cerificate to use the AAA authenication while still having the cerficate based profile enabled for doing a proof of concept?
Thanks

Hi CrankyMonkey,
9.4 image includes new features for SSLTLS that might be impacting your certificate authentication.
"Elliptic curve cryptography for SSL/TLS—When an elliptic curve-capable SSL VPN client connects to the ASA, the elliptic curve cipher suite will be negotiated, and the ASA will present the SSL VPN client with an elliptic curve certificate, even when the corresponding interface has been configured with an RSA-based trustpoint. To avoid having the ASA present a self-signed SSL certificate, the administrator needs to remove the corresponding cipher suites using the ssl cipher command. For example, for an interface configured with an RSA trustpoint, the administrator can execute the following command so that only RSA based ciphers are negotiated"
As workaround you can try to use the following cipher configuration and check if works.
ssl cipher tlsv1.2 custom "AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RC4-SHA"
Reference link
http://www.cisco.com/c/en/us/td/docs/security/asa/asa94/release/notes/asarn94.html
Rate if helps.
-Randy

Anyconnect 3.1 and certificate authentication

Similar Messages

Maybe you are looking for