How to configure Anyconnect 4.7 Management + User Tunnels using certificate authentication
ฝัง
- เผยแพร่เมื่อ 26 ส.ค. 2024
- This technical configuration video shows how to configure the Anyconnect 4.7 Management Tunnel (machine certificate authentication) + User Tunnnel (user certificate authentication) using ASDM 7.13 and ASA 9.13. A short demo towards then end shows the user PC connected with the management tunnel and transitions over to the user tunnel.
A good video. But, what we do in the anyconnect side?. you have a two anyconnect client profile, what we do with both profiles in the PC?.
It looks like that the user client profile is storage in C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile, but the machine profile is a vpnm file. What we can do with it ? There aren't any information about that. Also, how we configure the PC to start the machine tunnel before logon.
Hey Pep, take a look at this configuration document on CCO. www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/215442-configure-anyconnect-management-vpn-tunn.html. There are 2 separate folders for the VPN profiles. First is the machine tunnel folder where you install the machine profile and the second folder is the regular user VPN profile. Once the machine profile has been uploaded and configured with a trusted corporate machine certificate, the machine tunnel will automatically initiate a connection when the user tunnel is not up. If your machine tunnel is not automatically connecting, there are troubleshooting steps in the doc I provided to see what the issue may be.
Hi, great video . Thanks! I have a question... about the user profile (after the user login) , does it need to be a user cert based profile or can we use profile that uses saml or AD username/password ?
Hello Emilio, the management tunnel uses the management tunnel profile which is based on x.509 certificate only. Once the user logs in, Anyconnect will be using the user profile (could be certificate or username/password, SAML, etc). It is completely separate from the management tunnel profile used by the machine. Hope this makes sense.
Thanks for the great video!
I've just got a question with regard the machine/user certificate - How did you upload it? I've read " The AnyConnect Management VPN Profile could be manually uploaded to the client machines either through a GPO push or by manual installation (Ensure the name of the profile is VpnMgmtTunProfile.xml).", but I'm not sure how to do that?
Hello BlacK Knight, thanks for watching my video. You can use the standalone Anyconnect Profile editor available on CCO to generate the XML file and then just manually copy that file to the client's PC. As for the machine certificate, this is a separate process. Using whatever CA you like or the commonly used Windows 2012 or 2016 CA, you can generate a machine CA and send that certificate to the client.
Sorry for the late late response. My test clients joined my Windows 2016 domain controller/CA server and automatically received a machine certificate. In my Windows CA server, I configured the Certificate Authority to automatically enroll and issue a client certificate.
I need help with the certificate generation from the Microsoft CA server. The certificates are not getting the required EKU. Which template are you using on the Microsoft CA server?
Ravindra, the client is using a User Certificate. If your test PC joins your MS CA server/Domain Controller, the test PC can automatically enroll and get issued a user certificate. Of course, you have set this up in your MS CA server to do this. How is your test PC getting its certificate currently?