Configure Cisco Anyconnect to use Two- Factor authentication (username/password & Self Signed Cert)

jerryblack143 · ‎03-30-2017

Before i begin, I just want to mention that I am not very strong on the ASA side of things

What i am trying to achieve is to use Two-Factor authentication when i user tries to VPN into the network using Cisco Anyconnect. One reason behind this decision is to prevent users who downloads the anyconnect on their personal device from connecting to the network (only allow company devices to connect through the VPN

I have found a couple of ways to achieve this, but based on my communication with my engineering team, some of these solutions will not work.

The approach that we are exploring at this point is to use 2 certs (the CA cert and an identity cert from the CA)

We have been able to import the CA certificate correctly, then created a cert request on the ASA but when we try to generate the cert from the request on our domain CA, we gets some errors

Error 1: (Request Status Code: The request contains no certificate template information. Request Deposition Message: Denied by policy Module, 0X80094801, The request does not contain a certificate extension or the certificate template request attribute)

Error 2: (The requested certificate template is not supported by the CA. Denied by policy Module, 0X80094800, The request was for a certificate that is not supported by the active directory certificate services policy)

Any help will be appreciated

Philip D'Ath · ‎03-30-2017

Why don't you create the identity certificate on one of your machines, export it and the private key to a file, and then import the file in one go.

Then you don't need to generate the CSR on the ASA and interface that with your CA.

jerryblack143 · ‎03-31-2017

Hi Philip,

Thank you for making out time to respond to my question.

We tried to do that but was unsuccessful as we have 2 ASA.

When we try to take this approach that you mentioned, an error came up (error: high availability)

Thank you

Philip D'Ath · ‎03-31-2017

What version software are you running on your ASAs?

jerryblack143 · ‎03-31-2017

I believe that its ASDM 7.6(2)150

Philip D'Ath · ‎03-31-2017

What about the ASAs?

jerryblack143 · ‎03-31-2017

9.4(3)12

thank you

Philip D'Ath · ‎04-02-2017

Sorry I forgot to ask, what model ASA are you using?

jerryblack143 · ‎04-03-2017

We are using the 5525 Model.

Thank you

Philip D'Ath · ‎04-03-2017

I've imported certificates a lot of times, and never had an issue. So I am suspicious of the software version you are using.

asa944-5-smp-k8.bin is a gold star release for your platform. Would you be able to upgrade tot that?
https://software.cisco.com/download/release.html?mdfid=284143129&catid=268438162&softwareid=280775065&release=9.4.4%20Interim&relind=AVAILABLE&rellifecycle=&reltype=latest

jerryblack143 · ‎04-03-2017

That is possible but it will be a long process that i will hate to go through if its not the cause of the issue.

Things like change request and scheduling a downtime to do this are some of the things that will make the process long.

Do you have any document or something to show what step by step approach that you used to accomplish the ones that you did so that we can mirror that.

Thank you

gaowen · ‎04-03-2017

Is this A MS CA?

if so then what kind of certificate template are you using to sign your CSR?