Cisco anyconnect no valid certificates available for authentication windows 10

If you are facing “Cisco AnyConnect Certificate Validation Failure” problem while trying to connect on the AnyConnect Client, then you are in right place. Here, we are discussing on “How to fix AnyConnect Certificate error” in details and providing some recommended methods to fix this error. Let’s starts the discussion.

What is Cisco AnyConnect?

“Cisco AnyConnect” is proprietary application that lets users connect to VPN service. Many universities use this application as part of service they pay for from Cisco that’s why public institutions unnecessarily rely on this closed-source software for their own students. This doesn’t just amount to handling control to a private corporation, thereby privatizing public money. This software also provide extra security layer to reduce potentially unwanted attacks and privacy vulnerability.

Cisco AnyConnect is unified endpoint agent that delivers multiple security services to protect the enterprise. Its wide range of security services includes functions such as remote access, posture enforcement, web security features, and roaming protection. It gives all the security features for IT department to provide a robust, user-friendly, and highly secure mobile experience as well.

Cisco AnyConnect security mobility client is modular endpoint software product that not only provides VPN access via SSL (Secure Socket Layer) and IPsec IKEv2 but also offers improved security via various built-in modules including compliance through VPN and ASA or through wired /wireless, and VPN with Cisco identity Services Engine (ISE), Off-network roaming protection with Cisco Umbrella.

Since, Cisco has been a long-term target of NSA spying program. It also doesn’t work well on Linux. There is nothing wrong with supporting free and open source solutions like OpenVPN which are used by numerous users worldwide. Linux, iOS, Windows, MacOS and Android OS are some of the popular tools that integrate with Cisco Anyconnect.

Cisco AnyConnect Review: Features

• Mobile Device Support: AnyConnect services can be delayed on most popular devices used by today’s diverse workforce. Administrators need to support end-user productivity by providing personal mobile devices with remote access to the computer network.
• Off-Network Protection (DNS Layer Security): Cisco AnyConnect protects devices when they are off the corporate network. The Umbrella roaming enforces security at DNS layer to protect against malware, phishing and Command -and-Control callbacks over any protocol whether you turn Off the VPN or forgot to turn it on.
• Web security: Cisco AnyConnect has in-built web security feature based on cloud web security. Combining web security with VPN access, administrators can provide comprehensive, high security mobility to all end users.
• Network Visibility: Cisco AnyConnect network visibility module on MacOS, Windows OS, Linux and Samsung Knox-enabled devices gives administrators the ability to monitor endpoint application usage to uncover potential behavior anomalies and to make more informed network designed decisions.

What is “Cisco AnyConnect Certificate Validation Failure” Error on Windows?

“AnyConnect Certificate error” is common error reported by numerous users on Cisco official forum site or other popular platforms and asked for the solution. Users explained on Cisco Community website that the error appears when they run their own CA that gives out the client certificates for our users as well as the identity certificate for ASA, and in order to click on “Connect” on AnyConnect Client, their client receives “No Valid Certificates available for authentication” message.

Furthermore, he also created a DART bundle and in there I can see that the certificate is selected from the “Microsoft Store”, but after that he receive several errors regarding SCHANNEL. Then, he tried another certificate authentication and finds no certificates followed by “Cisco AnyConnect Certificate Validation Failure” Error.

Certificate Validation Failure Error States:

When we talk about “Anyconect Certificate validation Failure error”, it explained that it can’t verify the VPN server which is to be expected since it uses the self-signed certificate, but if they connect anyway, then they receive the certification selection and the login works fine. It means username & password for login is taken from the certificate.

[Tips & Tricks] How to fix Cisco AnyConnect Certificate Validation Failure Problem?

Procedure 1: Repair the Installation

Step 1: Click on “Start” button and type “Control Panel” in Windows search and open “Control Panel”

Step 2: In the opened “Control Panel”, choose “Uninstall a program” and find “Cisco AnyConnect VPN” client and choose “Repair”

Step 3: Follow On-Screen instructions to finish the repairing process. Once done, restart your computer and please check if the problem is resolved.

Procedure 2: Allow VPN to freely communicate through Firewall

Step 1: Click on “Start” button and type “Allow an App” in Windows Search and open “Allow an App through Windows Firewall”

Step 2: Now, click on “Change Settings”

Step 3: Make sure that “Cisco VPN” is on the list and it’s allowed to communicate through Windows Firewall. If not, click “Allow another App” and add it

Step 4: Check both “Private” and “Publicrong” > Network boxes

Step 5: Confirm changes and open Cisco VPN

Procedure 3: Check Virtual Adapter driver in Device Manger and update it  

Step 1: Press “Windows + X” key from keyboard and select “Device Manager”

Step 2: In the opened “Device Manager” window, locate and expand “Network Adapters”

Step 3: Right-click on Virtual Adapter and select “Update driver software”

Step 4: Follow On-Screen instructions to finish the updating process.

Step 5: Once done, restart your computer and please check if the problem is resolved.

Procedure 4: Tweak Registry and Repair Cisco VPN

Step 1: Press “Windows + R” keys together from keyboard and type “regedit” in “Run Dialog Box” and then hit “Ok” button

Step 2: In the opened “Registry Editor” window, navigate to “HKEY_LOCAL_MACHINE/SYSTEM/Current/Control/SetServices/CVirtA”

Step 3: Right-click on the “DisplayName” registry entry and choose “Modify”

Step 4: Under “Value Data” section, make sure that the only body of text which stands is Cisco System VPN Adapter

Step 5: Save the changes and try running Cisco AnyConnect VPN again.

Procedure 5: Update the AnyConnect

Step 1: Go to “ASDM > Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Client Software”

Step 2: You can either replace the existing the image or add a new one.

Step 3: After that, connect to the ASA. The client will be updated automatically.

Procedure 6: Create Trustpoints for each certificate being installed

Step 1: Open the “Cisco ASDM”

Step 2: Under “Remote Access VPN” window pane, click on “Configuration” tab and expand “Certificate Management” and click on “CA Certificates”

Step 3: Click on “Add” button

Step 4: Assign a “TrustPoint Name” to the certificate like “DigiCertCA2” and select “Install from the file” Radio button and browse to “DigiCertCA2.crt”, then click on “Install Certificate”. Repeat this process of adding new trustpoint and installing certificate file for “DigiCertCA.crt”

Step 5: Under “Remote Access VPN”, expand “Certificate Management” to “Identify Certificates”. Select the identity you created for the CSR with “Expiry Data” and click on “Install > Install Certificate”

Step 6: The Certificate now needs to be enabled. To do so, click on “Advanced > SSL Settings > Edit > Primary Enrolled Certificate” and select your certificate and then click on “Ok”

Step 7: ASDM will then show your Certificate details under trustpoint

Procedure 7: Perform Clean Reinstallation

Step 1: Navigate to “Control Panel” and choose “Uninstall a program”

Step 2: Uninstall “Cisco AnyConnect VPN Client”

Step 3: Navigate to System partition and delete everything Cisco-related from programs folder

Step 4: Once uninstalled completely, restart your computer

Step 5: After that, download latest version of “Cisco AnyConnect” from “Cisco official website”

Step 6: Double-click on installer file and follow on-screen instructions to finish the installation.

Step 7: Once installed, restart your computer again and please check if the AnyConnect Certificate error is resolved.

Conclusion

Cisco AnyConnect is VPN service that offers Standard VPN encryption and protection. When we talk about AnyConnect Secure Mobility Client, it is modular endpoint software product. It not only provides Virtual Private Network (VPN) access through Secure Sockets layer (SSL) and Internet Protocol Security (IPsec) Internet Key Exchange version2 (IKEv2), but also offers enhanced security through various built-in modules.

I am sure this article helped you to “Fix Cisco AnyConnect Certificate Validation Failure Windows 10” with several easy methods/procedures. You can choose/follow either one or all procedures to fix this issue.

If you are unable to fix Cisco AnyConnect Certificate Validation Failure problem with the solutions mentioned above, then it might possible that your System has infected with malware or viruses. According to security researchers, malware or viruses cause several damages in your computer.

In this case, you can scan your computer with powerful antivirus software that has the ability to delete all types of malware or viruses from System.

Pulling my hair out on this one — user with Windows 10 v1607 (build 14393.693) and Cisco AnyConnect v4.2.04039. Originally, worked fine with two remote sites. Now, will not connect at all to either ASA.

• Error message is consistent for both sites. (Different companies)

• Both sites do NOT use Certificate Authentication.

• Attempted to reinstall/update AnyConnect without success.

There seems to be a myriad of «root causes,» for this error online. However, I’ve tried the reinstall, copy over files from a working instance, etc. etc.

The most likely scenario was that it was installed as Administrator and needed those privileges to access the certificate store. Launching as Administrator did not help, and, frankly, I’m not certain WHICH certificate is missing/broken. Also, since these are NOT using Certificate Authentication, I’m not sure where this is breaking down in the process. Why would the client cert failure stop connection, entirely?

Need an AnyConnect expert as this is beginning to drive me crazy. How do I fix this? Can I «reinstall,» a certificate which seems to represent the client in the negotiation? And, since these are different sites, entirely, it isn’t easy to get to the ASA logs themselves for troubleshooting.

Can anyone point me in the right direction?

Cisco anyconnect no valid certificates available for authentication windows 10

Этот форум закрыт. Спасибо за участие!

Спрашивающий

Вопрос

После апгрейда с Windows 7 до Windows 8 я, как и многие другие пользователи, столкнулся с проблемой подключения к офису через Cisco VPN Client. В моём случае под Windows 7 был установлен Cisco AnyConnect 2.5.6005, который работал без нареканий.

После апгрейда система сообщила, что AnyConnect требуется переустановить, но переустановка мне не помогла. Возникала ошибка Failed to enable Virtual Adapter. Симптомы были схожими, как описано в статье

Я всё же не стал ничего ковырять в системе и решил просто скачать последнюю версию Cisco AnyConnect c сайта cisco.com. На данный момент последняя версия 3.1.01065.

Но тут возникли другие проблемы. Cisco AnyConnect не видит SSL сертификат VPN сервера, настроенного на Cisco ASA 5510. Выдаёт следующее сообщение «No valid certificates available for authentication».

Сертификат для Cisco ASA 5510 выдавался нашим корпоративным центром сертификации по шаблону «WebServer». Этот сертификат, а также сертификат самого центра сертификации я импортировал в Доверенные корневые центры сертификации через консоль certmgr.msc. В списке сертификатов я их вижу и оба они действительные.

Есть предположение, что Cisco AnyConnect смотрит сертификаты через свойства обозревателя и, не обнаруживая его там, выдаёт ошибку «No valid certificates available for authentication». Хотя повторюсь, что на Windows 7 никаких проблем с сертификатами не было.

Как заставить Cisco AnyConnect всё таки увидить сертификат?

Тот же самый вопрос, который я задавал сначала там

Источник

Cisco anyconnect no valid certificates available for authentication windows 10

If you are facing “Cisco AnyConnect Certificate Validation Failure” problem while trying to connect on the AnyConnect Client, then you are in right place. Here, we are discussing on “ How to fix AnyConnect Certificate error ” in details and providing some recommended methods to fix this error. Let’s starts the discussion.

What is Cisco AnyConnect?

“Cisco AnyConnect” is proprietary application that lets users connect to VPN service. Many universities use this application as part of service they pay for from Cisco that’s why public institutions unnecessarily rely on this closed-source software for their own students. This doesn’t just amount to handling control to a private corporation, thereby privatizing public money. This software also provide extra security layer to reduce potentially unwanted attacks and privacy vulnerability.

Cisco AnyConnect is unified endpoint agent that delivers multiple security services to protect the enterprise. Its wide range of security services includes functions such as remote access, posture enforcement, web security features, and roaming protection. It gives all the security features for IT department to provide a robust, user-friendly, and highly secure mobile experience as well.

Cisco AnyConnect security mobility client is modular endpoint software product that not only provides VPN access via SSL (Secure Socket Layer) and IPsec IKEv2 but also offers improved security via various built-in modules including compliance through VPN and ASA or through wired /wireless, and VPN with Cisco identity Services Engine (ISE), Off-network roaming protection with Cisco Umbrella.

Since, Cisco has been a long-term target of NSA spying program. It also doesn’t work well on Linux. There is nothing wrong with supporting free and open source solutions like OpenVPN which are used by numerous users worldwide. Linux, iOS, Windows, MacOS and Android OS are some of the popular tools that integrate with Cisco Anyconnect.

Cisco AnyConnect Review: Features

What is “Cisco AnyConnect Certificate Validation Failure” Error on Windows?

“AnyConnect Certificate error” is common error reported by numerous users on Cisco official forum site or other popular platforms and asked for the solution. Users explained on Cisco Community website that the error appears when they run their own CA that gives out the client certificates for our users as well as the identity certificate for ASA, and in order to click on “Connect” on AnyConnect Client, their client receives “No Valid Certificates available for authentication” message.

Furthermore, he also created a DART bundle and in there I can see that the certificate is selected from the “Microsoft Store”, but after that he receive several errors regarding SCHANNEL. Then, he tried another certificate authentication and finds no certificates followed by “Cisco AnyConnect Certificate Validation Failure” Error.

Certificate Validation Failure Error States:

When we talk about “Anyconect Certificate validation Failure error”, it explained that it can’t verify the VPN server which is to be expected since it uses the self-signed certificate, but if they connect anyway, then they receive the certification selection and the login works fine. It means username & password for login is taken from the certificate.

[Tips & Tricks] How to fix Cisco AnyConnect Certificate Validation Failure Problem?

Procedure 1: Repair the Installation

Step 1: Click on “Start” button and type “Control Panel” in Windows search and open “Control Panel”

Step 2: In the opened “Control Panel”, choose “Uninstall a program” and find “Cisco AnyConnect VPN” client and choose “Repair”

Step 3: Follow On-Screen instructions to finish the repairing process. Once done, restart your computer and please check if the problem is resolved.

Procedure 2: Allow VPN to freely communicate through Firewall

Step 1: Click on “Start” button and type “Allow an App” in Windows Search and open “Allow an App through Windows Firewall”

Step 2: Now, click on “Change Settings”

Step 3: Make sure that “Cisco VPN” is on the list and it’s allowed to communicate through Windows Firewall. If not, click “Allow another App” and add it

Step 4: Check both “Private” and “Publicrong” > Network boxes

Step 5: Confirm changes and open Cisco VPN

Procedure 3: Check Virtual Adapter driver in Device Manger and update it

Step 1: Press “Windows + X” key from keyboard and select “Device Manager”

Step 2: In the opened “Device Manager” window, locate and expand “Network Adapters”

Step 3: Right-click on Virtual Adapter and select “Update driver software”

Step 4: Follow On-Screen instructions to finish the updating process.

Step 5: Once done, restart your computer and please check if the problem is resolved.

Procedure 4: Tweak Registry and Repair Cisco VPN

Step 1: Press “Windows + R” keys together from keyboard and type “regedit” in “Run Dialog Box” and then hit “Ok” button

Step 2: In the opened “Registry Editor” window, navigate to “HKEY_LOCAL_MACHINE/SYSTEM/Current/Control/SetServices/CVirtA”

Step 3: Right-click on the “DisplayName” registry entry and choose “Modify”

Step 4: Under “Value Data” section, make sure that the only body of text which stands is Cisco System VPN Adapter

Step 5: Save the changes and try running Cisco AnyConnect VPN again.

Procedure 5: Update the AnyConnect

Step 1: Go to “ASDM > Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Client Software”

Step 2: You can either replace the existing the image or add a new one.

Step 3: After that, connect to the ASA. The client will be updated automatically.

Procedure 6: Create Trustpoints for each certificate being installed

Step 1: Open the “Cisco ASDM”

Step 2: Under “Remote Access VPN” window pane, click on “Configuration” tab and expand “Certificate Management” and click on “CA Certificates”

Step 3: Click on “Add” button

Step 4: Assign a “TrustPoint Name” to the certificate like “DigiCertCA2” and select “Install from the file” Radio button and browse to “DigiCertCA2.crt”, then click on “Install Certificate”. Repeat this process of adding new trustpoint and installing certificate file for “DigiCertCA.crt”

Step 5: Under “Remote Access VPN”, expand “Certificate Management” to “Identify Certificates”. Select the identity you created for the CSR with “Expiry Data” and click on “Install > Install Certificate”

Step 6: The Certificate now needs to be enabled. To do so, click on “Advanced > SSL Settings > Edit > Primary Enrolled Certificate” and select your certificate and then click on “Ok”

Step 7: ASDM will then show your Certificate details under trustpoint

Procedure 7: Perform Clean Reinstallation

Step 1: Navigate to “Control Panel” and choose “Uninstall a program”

Step 2: Uninstall “Cisco AnyConnect VPN Client”

Step 3: Navigate to System partition and delete everything Cisco-related from programs folder

Step 4: Once uninstalled completely, restart your computer

Step 5: After that, download latest version of “Cisco AnyConnect” from “Cisco official website”

Step 6: Double-click on installer file and follow on-screen instructions to finish the installation.

Step 7: Once installed, restart your computer again and please check if the AnyConnect Certificate error is resolved.

Conclusion

Cisco AnyConnect is VPN service that offers Standard VPN encryption and protection. When we talk about AnyConnect Secure Mobility Client, it is modular endpoint software product. It not only provides Virtual Private Network (VPN) access through Secure Sockets layer (SSL) and Internet Protocol Security (IPsec) Internet Key Exchange version2 (IKEv2), but also offers enhanced security through various built-in modules.

I am sure this article helped you to “Fix Cisco AnyConnect Certificate Validation Failure Windows 10” with several easy methods/procedures. You can choose/follow either one or all procedures to fix this issue.

If you are unable to fix Cisco AnyConnect Certificate Validation Failure problem with the solutions mentioned above, then it might possible that your System has infected with malware or viruses. According to security researchers, malware or viruses cause several damages in your computer.

In this case, you can scan your computer with powerful antivirus software that has the ability to delete all types of malware or viruses from System.

Источник

Руководство по настройке проверки подлинности ASA AnyConnect с проверкой, сопоставлением и предварительным заполнением сертификата

Параметры загрузки

Об этом переводе

Этот документ был переведен Cisco с помощью машинного перевода, при ограниченном участии переводчика, чтобы сделать материалы и ресурсы поддержки доступными пользователям на их родном языке. Обратите внимание: даже лучший машинный перевод не может быть настолько точным и правильным, как перевод, выполненный профессиональным переводчиком. Компания Cisco Systems, Inc. не несет ответственности за точность этих переводов и рекомендует обращаться к английской версии документа (ссылка предоставлена) для уточнения.

Содержание

Введение

Этот документ описывает пример конфигурации для доступа к клиенту Cisco AnyConnect Secure Mobility Client на платформе Adaptive Security Appliance, который использует двойную проверку подлинности с проверкой сертификата. Как и все остальные пользователи AnyConnect, вы должны предоставить правильный сертификат и указать учетные данные для основной и дополнительной проверки подлинности, чтобы получить доступ к VPN. В этом документе также приведен пример сопоставления сертификатов с функцией предварительного заполнения.

Предварительные условия

Требования

Компания Cisco рекомендует предварительно ознакомиться со следующими предметами:

Используемые компоненты

Сведения, содержащиеся в этом документе, касаются следующих версий программного обеспечения:

Предполагается, что вы используете внешний Центр сертификации (ЦС) для создания:

Настройка

Примечание.Воспользуйтесь инструментом Command Lookup ( только для зарегистрированных заказчиков), чтобы получить дополнительную информацию о командах, используемых в этом разделе.

Сертификат для AnyConnect

Чтобы установить образец сертификата, дважды щелкните файл anyconnect.pfx и установите сертификат как персональный сертификат.

Используйте диспетчер сертификатов (certmgr.msc), чтобы проверить установку:

По умолчанию AnyConnect пытается найти сертификат в пользовательском магазине Microsoft; изменять профиль AnyConnect не нужно.

Установка сертификатов на ASA

Этот пример демонстрирует импорт сертификата PKCS # 12 в кодировке base64 с платформы ASA:

Выполните команду show crypto ca certificates, чтобы проверить импорт:

Примечание. Средство интерпретации выходных данных (только для зарегистрированных заказчиков) поддерживает некоторые команды show. Используйте Средство интерпретации выходных данных, чтобы просмотреть анализ выходных данных команды show.

Конфигурация ASA для одинарной проверки подлинности и проверки сертификата

ASA использует как аутентификацию ААА (проверка подлинности, авторизация и обработка учетных записей), так и проверку подлинности сертификата. Проверка достоверности сертификата является обязательной. Для аутентификации AAA (проверка подлинности, авторизация и обработка учетных записей) используется локальная база данных.

В этом примере показана одинарная проверка подлинности с проверкой сертификата.

Помимо этой конфигурации, можно выполнить авторизацию LDAP, используя имя пользователя из конкретного поля сертификата (например, поле имени сертификата (CN)). После этого можно получить и применить дополнительные атрибуты для VPN-сеанса. Дополнительные сведения о проверке подлинности и авторизации сертификата см. в разделе «Авторизация ASA Anyconnect VPN и OpenLDAP с примерами настраиваемой схемы и конфигураций сертификатов.»

Проверка

Примечание. Средство интерпретации выходных данных (только для зарегистрированных заказчиков) поддерживает некоторые команды show. Используйте Средство интерпретации выходных данных, чтобы просмотреть анализ выходных данных команды show.

Для тестирования этой конфигурации укажите локальные учетные данные (имя пользователя cisco и пароль cisco). Требуется наличие сертификата:

Выполните команду show vpn-sessiondb detail anyconnect на ASA:

.debug

Примечание.Перед использованием команд debug обратитесь к документу Важные сведения о командах отладки.

В этом примере сертификат не кэшируется в базе данных, найден соответствующий ЦС; использован правильный ключ (CLientAuthentication), и сертификат успешно прошел проверку достоверности:

Подробные команды отладки, такие как debug webvpn 255, могут создавать множество журналов в рабочей среде и размещать на ASA интенсивную рабочую нагрузку. Некоторые процедуры отладки WebVPN удалены для ясности:

Это попытка найти подходящую группу туннелей. Конкретные правила сопоставления сертификатов отсутствуют, и используется указанная группа туннелей:

Далее приведены процедуры отладки SSL и общего сеанса:

Конфигурация ASA для двойной проверки подлинности и проверки сертификата

Здесь приводится пример двойной проверки подлинности, где используется сервер основной проверки подлинности LOCAL и сервер дополнительной проверки подлинности LDAP. Проверка достоверности сертификата по-прежнему включена.

В этом примере демонстрируется конфигурация LDAP:

Здесь показано добавление сервера дополнительной проверки подлинности:

В конфигурации не отображается «authentication-server-group LOCAL», так как это параметр по умолчанию.

Для «authentication-server-group» можно использовать все остальные серверы AAA Для «secondary-authentication-server-group» можно использовать все серверы AAA кроме сервера Security Dynamics International (SDI); в этом случае SDI может выступать в роли сервера основной проверки подлинности.

Проверка

Примечание. Средство интерпретации выходных данных (только для зарегистрированных заказчиков) поддерживает некоторые команды show. Используйте Средство интерпретации выходных данных, чтобы просмотреть анализ выходных данных команды show.

Чтобы протестировать эту конфигурацию, укажите локальные учетные данные (имя пользователя cisco и пароль cisco) и учетные данные LDAP (имя пользователя cisco и пароль из LDAP). Требуется наличие сертификата:

Выполните команду show vpn-sessiondb detail anyconnect на ASA.

.debug

Отладка сеанса WebVPN и проверки подлинности во многом схожи. См. раздел «Конфигурация ASA для одинарной проверки подлинности, проверки достоверности сертификата и отладки» Отображается один дополнительный процесс проверки подлинности:

Процедуры отладки LDAP отображают сведения, которые могут отличаться от конфигурации LDAP:

Конфигурация ASA для двойной проверки подлинности и предварительного заполнения

Можно сопоставить отдельные поля сертификата с именем пользователя, которое используется для основной и дополнительной проверки подлинности:

В этом примере клиент использует сертификат: cn=test1,ou=Безопасность,o=Cisco,l=Krakow,st=PL,c=PL.

Для основной проверки подлинности имя пользователя берется из имени сертификата, и именно по этой причине создан локальный пользователь «test1».

Для дополнительной проверки подлинности имя пользователя взято из организационного подразделения (OU, по этой причине на сервере LDAP создан пользователь «Security»).

Кроме того, возможно принудительно настроить в AnyConnect использование специальных команд для предварительного заполнения основного и дополнительного имени пользователя.

В реальном сценарии в качестве сервера основной проверки подлинности обычно используется сервер AD или LDAP, а в качестве сервера дополнительной проверки подлинности — сервер Rivest, Shamir и Adelman (RSA), который использует пароли токенов. В этом сценарии пользователю необходимо указать учетные данные AD/LDAP (которые известны пользователю), пароль токена RSA (который есть у пользователя) и сертификат (на используемом компьютере).

Проверка

Обратите внимание, что нельзя изменить основное или дополнительное имя пользователя, поскольку оно предварительно заполнено на основе данных из полей CN и OU:

.debug

В этом примере показан предварительно заполненный запрос, который отправляется в AnyConnect:

Здесь показано, что для проверки подлинности используются правильные имена пользователей:

Конфигурация ASA для сопоставления двойной аутентификации и сертификата

Кроме того, можно сопоставить конкретные клиентские сертификаты с отдельными группами туннелей, как показано в этом примере:

Таким образом, все сертификаты пользователей, выданные ЦС Cisco Technical Assistance Center (TAC), сопоставляются с группой туннелей с именем «RA»

Примечание. Сопоставление сертификатов для SSL настраивается иначе, чем сопоставление сертификатов для IPSec. Для IPSec сопоставление настраивается с использованием правил «tunnel-group-map» в режиме глобальной конфигурации. Для SSL сопоставление настраивается с использованием правила «certificate-group-map» в режиме конфигурации webvpn.

Проверка

Обратите внимание, что после включения сопоставления сертификатов выбор группы туннелей больше не требуется:

.debug

В этом примере правило сопоставления сертификатов разрешает поиск группы туннелей:

Устранение неполадок

Этот раздел обеспечивает информацию, которую вы можете использовать для того, чтобы устранить неисправность в вашей конфигурации.

Подтвержденный сертификат отсутствует

После удаления действующего сертификата из Windows 7 AnyConnect не может найти действующие сертификаты:

На ASA похоже, что сеанс завершен клиентом (Сброс-I):

Источник

AnyConnect Secure Mobility Certificate Error

[4/29/2015 3:10:51 PM] Connection attempt has failed.

[4/29/2015 3:10:54 PM] Connection attempt has failed.

[4/29/2015 3:10:54 PM] No valid certificates available for authentication.

[4/29/2015 3:10:57 PM] Connection attempt has failed.

Do you have a certificate installed that was issued by a Certificate Authority?

Do you have a certificate installed that was issued by a Certificate Authority?

The only certificate I have installed on the my edge router is the SSH cert that was generated inside.

Do you have a certificate installed that was issued by a Certificate Authority?

webvpn gateway webvpn_1

ip address 73.52.xx.xx port 443

http-redirect port 80

ssl trustpoint pa-york-2851

webvpn install svc flash:/webvpn/anyconnect-win-3.1.06073-k9.pkg sequence 1

webvpn context Test

ssl authenticate verify all

policy group policy_1

svc address-pool «SDM_POOL_1» netmask 255.255.255.255

svc default-domain «york.local»

svc dns-server primary 192.168.1.29

aaa authentication list ciscocp_vpn_xauth_ml_2

Did you use your public facing address? I have a Cisco ASA firewall so the concepts are similar, but he implementation is fairly different. I wonder if this is because you’re using a self signed cert. I used a cert issued by a CA. You create a cert request on the unit, send it to the CA, then get your externally issued cert from that CA. I might be off track here though.

Did you use your public facing address? I have a Cisco ASA firewall so the concepts are similar, but he implementation is fairly different. I wonder if this is because you’re using a self signed cert. I used a cert issued by a CA. You create a cert request on the unit, send it to the CA, then get your externally issued cert from that CA. I might be off track here though.

webvpn gateway webvpn_1

ip address 73.52.xx.xx port 443

http-redirect port 80

ssl trustpoint pa-york-2851

Can you please provide directions from some website or cisco I’ve not heard of using a CA to issue a cert.

Ideally you would want a CA issued cert that verifies that you’re connecting to what you think you are. We have a domain name that’s used for connections to our ASA. Basically my.domain.org. I have a GoDaddy cert that was issued by them and loaded onto my ASA. So when you try to connect with AnyConnect or via WebVPN/SSLVPN, your computer can see that you are actually connecting to my.domain.org. Just like your secure connection to your bank website. If you have an internally issued cert and are connecting internally then that’s probably why it works that way. You internally issued cert can’t be checked against anything if you’re connecting externally.

Ideally you would want a CA issued cert that verifies that you’re connecting to what you think you are. We have a domain name that’s used for connections to our ASA. Basically my.domain.org. I have a GoDaddy cert that was issued by them and loaded onto my ASA. So when you try to connect with AnyConnect or via WebVPN/SSLVPN, your computer can see that you are actually connecting to my.domain.org. Just like your secure connection to your bank website. If you have an internally issued cert and are connecting internally then that’s probably why it works that way. You internally issued cert can’t be checked against anything if you’re connecting externally.

Well I talked to my provider Hostgator and they sent me to a form for a SSL Cert. It created a private and public key to send to a SSL 3rd party. I’m not really looking at spending money to get this to work being that this is inter company / private outside vpn.

While getting a CA Certificate like everyone else is saying I am not sure that is your issue. While yes it will error you should be able to get around it. So here are 2 suggestions first try running AnyConnect as Administrator (Right click on the file and select run as administrator) If that does not work I’d run AnyConnect and goto the settings the uncheck «block connections to untrusted servers». I do advise though that if you decide to start using this you get yourself a CA certificate and install it on the ASA. At least this will help you out for testing hopefully.

While getting a CA Certificate like everyone else is saying I am not sure that is your issue. While yes it will error you should be able to get around it. So here are 2 suggestions first try running AnyConnect as Administrator (Right click on the file and select run as administrator) If that does not work I’d run AnyConnect and goto the settings the uncheck «block connections to untrusted servers». I do advise though that if you decide to start using this you get yourself a CA certificate and install it on the ASA. At least this will help you out for testing hopefully.

I ran the Cisco AnyConnect as administrator. A «Security Warning: Untrusted VPN Server Certificate» popped up. I clicked Connect Anyway. It states connection failed. No valid certificates available for authentication. I have to unblock «Block connections to untrusted servers» to receive any messages as I get stopped by a big red box to disconnect me as its unsafe.

I’ve found a website called startssl.com but I can’t log into my account. I get a cant establish connection. I don’t know what’s wrong with that but they provide a level 1 SSL for free each year you just have to renew it.

So yeah. I got my anyconnect to work without prompting me for any licenses or anything. I still got all the untrusted server notifications but it connected inside my local intranet. So how do I go about putting it out on the public?

I wouldn’t worry too much about connecting internally because that doesn’t do you a lot of good. There are scenerios where your wireless might be segmented off and you force people to VPN in for security purposes, but that’s a different subject.

I’m not really sure about the setup on those routers since they differ from my ASA firewall. In my case I had to generate a CSR, which makes a text file you upload to your CA. They then issue you your cert which you import into your device. I have no clue if these options exist on the 2851, but this is what it looks like generating a CSR on an ASA firewall using the GUI. https://www.digicert.com/csr-creation-cisco-asa-vpn.htm

On my ASA I had to explicitly tell it that I wanted to enable SSL access for AnyConnect on my external/outside interface.

I wouldn’t worry too much about connecting internally because that doesn’t do you a lot of good. There are scenerios where your wireless might be segmented off and you force people to VPN in for security purposes, but that’s a different subject.

I’m not really sure about the setup on those routers since they differ from my ASA firewall. In my case I had to generate a CSR, which makes a text file you upload to your CA. They then issue you your cert which you import into your device. I have no clue if these options exist on the 2851, but this is what it looks like generating a CSR on an ASA firewall using the GUI. https://www.digicert.com/csr-creation-cisco-asa-vpn.htm

On my ASA I had to explicitly tell it that I wanted to enable SSL access for AnyConnect on my external/outside interface.

Источник

---

---

---

---

---

---

Fedia

Супермодератор

Gagarin86

andrew13

Gagarin86