collapse

Search


User Info

 
 
Welcome, Guest. Please login or register.
Did you miss your activation email?

Author Topic: AnyConnect VPN Client: Duo RAVPN | SSO - Identity Certificate on behalf of Chris  (Read 52712 times)

Offline Administrator

  • Administrator
  • Cisco King
  • *****
  • Posts: 61
  • Reputation: 1000
  • Certification: N/A
I generated an Enterprise CA on my domain (secops), and I'm trying to generate an identity cert for a client network so we can use Duo with FMC/FTD. Everything is working from "MY" domain joined computer (following the Microsoft/ISE export/CSR process), I have my ACC-ROOT-CA, pasted the contents into the FTD > Add Cert Enrollment > CA Certificate|Manual page, generated CSR, took the contents and back to the CA server to sign the cert, getting the .cer with my client's certificate information (O=IT, etc). My client gets an authentication server failed and so do I from any non-domain joined computer. How do we create a cert such that any computer with that cert stored in the Trusted Root Cert Authority can pass authentication? Once that is resolved, it will all work b/t Duo SSO and RAVPN with FTD!

Offline MC

  • Global Moderator
  • Cisco Guru
  • *****
  • Posts: 401
  • Reputation: 606
  • CCIE x3 (RS,Sec,SP)
  • Certification: CCIE
If I understand correctly, you are trying to do client cert auth on a VPN but because the machine is not domain computer, it does not have a cert and you are trying to generate a cert separately and import it to the computer but then it fails authentication. Is that correct? Have you done any debug on the FTD to see why authentication fails? Also, client cert should be installed under Personal > Cert folder and not Trusted Root Cert. May be AnyConnect client couldn't locate the cert?

Offline clemish

  • Cisco Newbie
  • *
  • Posts: 3
  • Reputation: 0
  • Certification: CCNP
I determined that using the ISE Computer/User auto-enrollment cert methodology, my domain computers authenticate with Duo SSO/SAML 2.0 no problem. Non-domain computers have the issue.  Upon visiting sslshopper, entering vpn.domain.com the certification path requires an Intermediate CA/Sub CA for this to work.  I'm building the Sub CA to satisfy this requirement.  It looks like the non-domain computers require both the Root CA certificate imported into the Local Computer > Trusted Root Certification Authority and the Identity certificate is imported into Personal > Certificates which was completed, however, in the FMC, the process was to take the contents of the Root CA paste into the Manual certificate textbox and then generate a CSR from the FMC, which I thought would remove the need to import the Root CA.  I'm not sure if you have any thoughts on that.  I'll let you know the results after installing the Sub CA.

Offline MC

  • Global Moderator
  • Cisco Guru
  • *****
  • Posts: 401
  • Reputation: 606
  • CCIE x3 (RS,Sec,SP)
  • Certification: CCIE
So are you doing client cert auth or SAML auth or both using secondary authentication? When you enroll a cert on FTD, it forces you to install CA cert anyway, so unless client cert is signed by a different CA, you do not need to import it again.

 

Related Topics

  Subject / Started by Replies Last post
0 Replies
22506 Views
Last post December 14, 2013, 09:08:00 AM
by Administrator
1 Replies
27331 Views
Last post January 23, 2017, 08:38:38 PM
by MC
1 Replies
34272 Views
Last post April 18, 2017, 10:14:30 PM
by MC
1 Replies
106910 Views
Last post March 18, 2024, 07:49:26 PM
by MC
1 Replies
9264 Views
Last post October 15, 2024, 08:15:19 PM
by MC

SimplePortal 2.3.7 © 2008-2024, SimplePortal