![]() ![]() In the former case, the iOS device didn't send the intermediate certificate(s). p12 file in browser/email, for example - this turns the cert into an iOS "profile") the certificate handling at connection time was entirely different than if you'd imported the certificate using An圜onnect on the client. I've seen some funny business on iOS where the behavior changes depending on how you import the certificate: If you import the certificate using the OS certificate handler (clicking on a link to a. Was the client's certificate issued by the root CA, or by an intermediate? It sounds like you're failing the "ASA authenticates the client" side of things, rather than the other way around, right? You didn't mention what OS was on the client device (Windows/Android/iOS/Chrome?) Group-policy GroupPolicy_xx-vpn attributesĭefault-domain value .ukĪnyconnect profiles value xx-vpn type userĪnyconnect profiles value o type websecurity Here's a snippet of my config: ssl trust-point xxxxxwildcard outsideĪnyconnect image disk0:/anyconnect-win-5-k9.pkg 1Īnyconnect profiles xx-vpn disk0:/xx-vpn.xmlĪnyconnect profiles xx-websecurity disk0:/pĪnyconnect profiles o disk0:/o The firewall has a real wildcard certificate on the outside, and the CA certificate is also installed on the device. I've checked the certificate and those properties are present. I did read somewhere that there was a change at some point and the newer client requires the user certificate to have EKU Client Authentication and KU Digital Signature and Key Encipherment. If I use An圜onnect client 4.2 as installed on the firewall, the client lets me select the certificate, and then tells me no valid certificates are available. If I use An圜onnect client 3.0, I select the certificate and the VPN establishes correctly, and it all works as it should. When launching the VPN, I am prompted to select which certificate to use. For testing I've disabled automatic certificate selection. I've configured the An圜onnect profile and assigned it to the group policy. ![]() #Anyconnect vpn certificate validation failure windowsThe user certificates are issued by a Windows 2012 R2 server. I've configured an An圜onnect VPN on the device and configured it to use Certificate authentication. I have an ASA 5515-X running 9.5(2)2 and An圜onnect 5. I'm at a loss with this problem and even TAC are struggling to provide me with an answer so I'm hoping one of you has dealt with this problem before. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |