In order to acomplish the AnyConnect authentication using certificates the AnyConnect client should get a valid certificate from the CA server, at the
same time the ASA should have the CA Root certificate in order to properly validate the certificate of the connecting client.
1-) Make sure you have an AnyConnect image applied in the ASA firewall:
Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Client Software
Click the Add button, and browse the flash for the proper image (optionally you can upload the client from the local PC).
2-) Enable anyconnect in the outside interface:
Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles
Check the box “Enable Cisco AnyConnect VPN Client or legacy SSL Client”
Then select the interface where the AnyConnect clients will be connecting to (in this example the outside interface).
The ” Allow user to select connection profile” check option will allow the AnyConnect user to select the group they will be connecting to.
3-) Create a new AnyConnect connection profile:
Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles
Click the Add button, the “AnyConnect connection profile” window will open.
Give the connection profile a name and optionally a group alias.
Click the “Select” button next to the “Client Address Pools” option.
The ” Select Address Pools” window will appear.
Click the “Add” button in order to create a new pool of addresses.
4-) Create a Group-policy:
Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles
Click the “Manage” button next to the “Group Policy” option in the connection profile.
Click the “Add” button in order to create the new policy.
Give the policy a name (In this example “AnyConnect-Policy”) and check the “Clientless SSL VPN” and “SSL VPN Client” boxes, then click the “ok” button.
The AnyConnect group have been created at this point.
5-) Install the CA certificate in the ASA:
The CA certificate must be downloaded from the CA server and installed in the ASA.
Complete these steps in order to download the CA certificate from the CA server.
Perform the web login into the CA server CA-server with the help of the credentials supplied to the VPN server.
Click Download a CA certificate, certificate chain or CRL in order to open the window,
as shown. Click the Base 64 radio button as the encoding method, and click Download CA certificate.
Save the CA certificate with the certnew.cer name on your computer.
Go to Configuration > Remote Access VPN > Certificate Management > CA Certificates in the ASA firewall.
Click on the “Add” button, the “Install Certificate” window will open.
Click the “Browse” button next to the “Install from a file” option.
Browse to the location where you saved the CA certificate, highlight the CA certificate and click on the “Install” button.
At this point the CA certificate will be installed in the ASA fiwall and it willl be able to validate the connecting users, which user’s certificate was created from the same CA server.
6-) Go back to the AnyConnect connection profiles and change the profile to use certificate authentication:
Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles
Highlight the “AnyConnect-group” profile and click the “Edit” button.
The “Edit AnyConnect Connection Profile” will open, then you will be able to select the authentication method to be “Certificate”
Click the “OK” button and then click “Apply”
(Remember to save the configuration performed)
7-) The next step would be to install the certificate in the AnyConnect client PC:
The user will need to log in into the CA server with his credentials.
Once in the CA server, the user will need to click in the “Request a certificate” option.
The user will want to select the “User Certificate” option.
At this point the CA sever will provide the user certificate to be installed.
Once the certificate is installed the user will be able to connect the AnyConnect client authenticating with the previously installed certificate
(No username and password required)
JUNIOR TAITT 