Lab Minutes Forum

Technical Discussion => Security => Topic started by: Administrator on January 21, 2024, 08:35:50 PM

Title: AnyConnect VPN Client: Duo RAVPN | SSO - Identity Certificate on behalf of Chris
Post by: Administrator on January 21, 2024, 08:35:50 PM

I generated an Enterprise CA on my domain (secops), and I'm trying to generate an identity cert for a client network so we can use Duo with FMC/FTD. Everything is working from "MY" domain joined computer (following the Microsoft/ISE export/CSR process), I have my ACC-ROOT-CA, pasted the contents into the FTD > Add Cert Enrollment > CA Certificate|Manual page, generated CSR, took the contents and back to the CA server to sign the cert, getting the .cer with my client's certificate information (O=IT, etc). My client gets an authentication server failed and so do I from any non-domain joined computer. How do we create a cert such that any computer with that cert stored in the Trusted Root Cert Authority can pass authentication? Once that is resolved, it will all work b/t Duo SSO and RAVPN with FTD!

Title: Re: AnyConnect VPN Client: Duo RAVPN | SSO - Identity Certificate on behalf of Chris
Post by: MC on January 22, 2024, 08:16:33 PM

If I understand correctly, you are trying to do client cert auth on a VPN but because the machine is not domain computer, it does not have a cert and you are trying to generate a cert separately and import it to the computer but then it fails authentication. Is that correct? Have you done any debug on the FTD to see why authentication fails? Also, client cert should be installed under Personal > Cert folder and not Trusted Root Cert. May be AnyConnect client couldn't locate the cert?

Title: Re: AnyConnect VPN Client: Duo RAVPN | SSO - Identity Certificate on behalf of Chris
Post by: clemish on January 23, 2024, 03:32:41 AM

I determined that using the ISE Computer/User auto-enrollment cert methodology, my domain computers authenticate with Duo SSO/SAML 2.0 no problem. Non-domain computers have the issue.  Upon visiting sslshopper, entering vpn.domain.com the certification path requires an Intermediate CA/Sub CA for this to work.  I'm building the Sub CA to satisfy this requirement.  It looks like the non-domain computers require both the Root CA certificate imported into the Local Computer > Trusted Root Certification Authority and the Identity certificate is imported into Personal > Certificates which was completed, however, in the FMC, the process was to take the contents of the Root CA paste into the Manual certificate textbox and then generate a CSR from the FMC, which I thought would remove the need to import the Root CA.  I'm not sure if you have any thoughts on that.  I'll let you know the results after installing the Sub CA.

Title: Re: AnyConnect VPN Client: Duo RAVPN | SSO - Identity Certificate on behalf of Chris
Post by: MC on January 23, 2024, 10:45:24 PM

So are you doing client cert auth or SAML auth or both using secondary authentication? When you enroll a cert on FTD, it forces you to install CA cert anyway, so unless client cert is signed by a different CA, you do not need to import it again.