This topic is to discuss the following lesson:
Hello Rene, first congratulations for your lessons, I have read many of them, and I have liked them all.
Now I have two questions regarded this lesson:
<li>Is it mandatory to create/configure the Anyconnect connection first before to create the Local CA Server as you mentioned in the beginning?</li>
<li>After the exportation from the PC and the importation in the Cisco ASA do I have to repeat that procedure (export from PC and Import in ASA) in every PC or device that I have to connect?</li>
Thank you in advance
Hi Hector,
It’s not mandatory, you could configure the local CA first. The configuration for anyconnect is pretty much the same so that’s why I referred to the previous example.
The certificate that we exported to the computer and then back to the ASA is something you only have to do once…the ASA will present this certificate to the user so that the user can authenticate the ASA.
User certificates are easier to enroll. They can fetch it using their webbrowser.
Rene
Hi Rene
“Cisco ASA Anyconnect Local CA” Means ASA act like a CA?
I don’t want a group(In your example SSL_USERS) means users does not have a choice to select group from the combo box called groups . I think if I don’t need the groups I really dont’need this part " tunnel-group MY_TUNNEL webvpn-attributes " .
In that case how do I enable double auth like username (ldap ) and certificate .
If I am using a self signed certificate double authentication is part is same ? .How do i generate certificate for the end users if i am using a self signed certificate in asa ?
Thanks
Hi Sims,
That’s right, the ASA is the CA that creates certificates here. Although it works, I think it’s a better idea to use an external CA for your certificates.
The following command allows users to select a group:
ASA1(config)# webvpn
ASA1(config-webvpn)# tunnel-group-list enable
If you remove it, users shouldn’t be able to get that option anymore.
Rene
Hi Rene,
I follow you instruction. It works great. Thank you.
But in my real job, I am trying to use a Microsoft server as a external CA. I find it very difficult to implement it. I spent 3 days but could not success.
I wonder if you have suggestions for me or could you show me a link that works.
Thanks
Loc
Hi Loc,
Microsoft CA servers can be difficult to work with. I don’t have an exact example for the ASA. The only time I wrote something about Microsoft CA is when I did an example about a Wireless LAN controller where we use certificates for end users:
https://networklessons.com/uncategorized/peap-and-eap-tls-on-server-2008-and-cisco-wlc/
Since local CA feature is deprecated and unavailable since ASA 9.12, I’m testing with public CA instead. As I couldn’t find the topic related to Cisco ASA Anyconnect Public CA, please allow me to ask the questions here.
During the setup, one thing has been confusing me.
While creating the trust point to initiate the CSR, I need to specified the FQDN like the following example.
Crypto ca trustpoint SSL-Trustpoint
enrollment terminal
Fqdn vpn.test.com ###just an example###
Subject-name CN=vpn.test.com,OU=IT,O=test
Keypair SSL-Keypair
After receiving the certificate from CA and assign trust point to OUTSIDE interface (100.1.1.1)
ssl trust-point SSL-Trustpoint OUTSIDE
When I checked https://vpn.test.com, the certificate becomes valid.
Also, when I enter vpn.test.com in Cisco Anyconnect client, it establishes the connection and prompts the login.
What I don’t understand is that how vpn.test.com is being resolved to the correspond IP address (100.1.1.1) as I don’t have any relevant record in my DNS server.
Hello Po
Hmm, that’s interesting. Are you sure that there is no DNS configured? Is there any public DNS configured that may be used for DNS resolution? I suggest you take a look at the config and let us know, and we can help you troubleshoot further.
I hope this has been helpful!
Laz