AnyConnect with Certificate Authentication

SOLVED
Mike-M
Conversationalist

AnyConnect with Certificate Authentication

Hi

 

I'm stumped so wanted to reach out to the community in hopes that someone has some wisdom or guidance to share.

 

I'm testing AnyConnect VPN with Certificate Authentication. This is on a MX250 running v16.16 firmware and AnyConnect Client v4.10.05085 for Windows.  Using a self-signed root certificate (uploaded to MX as a pem file) and a self-signed client certificate (installed to the Windows PC in Computer/Personal certificate store), it works like a champ!

 

However, for better certificate management and deployment experience, there's a preference to try and use Microsoft CA Services to deploy the client certificates. With this in mind, I:

 

  1. Exported the root certificate from the Microsoft CA Server (exported as Base64, renamed extension to pem)
  2. Uploaded the root certificate to the MX
  3. Installed a client certificate from the same CA server that signed the root certificate.  It was installed to my test PC's Computer/Personal Certificate Store. The CA Root Certificate is also installed on this PC
  4. Attempted to establish an AnyConnect Client VPN - FAILS with "no valid certificate" dialogue.

If anyone has had any success with using an exported CA root certificate from a Microsoft CA server (Server 2016) and client certificate issued from same CA server , I'd appreciate any thoughts on how you got it working or if I've overlooked something.

 

Thanks!

 

1 ACCEPTED SOLUTION
PhilipDAth
Kind of a big deal

The trusted CA certificate should be able to go into the machine store.  That is global.  The user certificate must go into the user certificate store.

 

>is there a best practice approach to prevent a non-privileged user from exporting the User certificates for install on a non-approved device

 

When you import the user certificate, untick the option that allows the private key to be exported.

 

>With AnyConnect/ASA, I recall that Dynamic Access Policies could further "inspect" the endpoint

 

You can do something similar if you use Cisco Duo Beyond for the AnyConnect MFA, and configure AnyConnect to use SAML against Duo.

https://duo.com/docs/beyond-overview 

https://duo.com/docs/device-health 

 

https://documentation.meraki.com/MX/AnyConnect_on_the_MX_Appliance/Authentication 

View solution in original post

4 REPLIES 4
PhilipDAth
Kind of a big deal

Did you definitely install a user certificate into the user certificate store on the machine - as opposed to the machine certificate store?

Mike-M
Conversationalist

Thanks for the helpful feedback.  During my initial testing with the self-signed certificates, I installed those to the Machine certificate store. Since AnyConnect worked in that configuration, I proceeded to install the CA signed certificates to the Computer store as well.  In hindsight, I suspect that I was signed into the machine as an admin which made those self-signed certificates in the Computer store accessible to AnyConnect.

 

What you suggested (installing the CA certs to User certificate store) worked so thank you for pointing me in the right direction.

 

With the new understanding that the User certificate store is where the CA certificates need to be, is there a best practice approach to prevent a non-privileged user from exporting the User certificates for install on a non-approved device?

 

In the end, we're aiming to limit AnyConnect VPN to just corporate assets. With AnyConnect/ASA, I recall that Dynamic Access Policies could further "inspect" the endpoint but that feature doesn't exist in Meraki's AnyConnect implementation.

 

 

PhilipDAth
Kind of a big deal

The trusted CA certificate should be able to go into the machine store.  That is global.  The user certificate must go into the user certificate store.

 

>is there a best practice approach to prevent a non-privileged user from exporting the User certificates for install on a non-approved device

 

When you import the user certificate, untick the option that allows the private key to be exported.

 

>With AnyConnect/ASA, I recall that Dynamic Access Policies could further "inspect" the endpoint

 

You can do something similar if you use Cisco Duo Beyond for the AnyConnect MFA, and configure AnyConnect to use SAML against Duo.

https://duo.com/docs/beyond-overview 

https://duo.com/docs/device-health 

 

https://documentation.meraki.com/MX/AnyConnect_on_the_MX_Appliance/Authentication 

Mike-M
Conversationalist

Again, thank you.  After some additional testing, with the CA Server set to not allow the private key to be exported and with the user certificate installed to user certificate store, things seem to be functioning as expected.  

 

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels