Connect with us

Hi, what are you looking for?


AnyConnect certificate-based authentication. Cisco community

AnyConnect certificate-based authentication. Cisco community


The information in this document is based on the following software and hardware versions:

ASA 5510 running software version 8.2 (2) and ASDM version 6.4 (9)

Anyconnect client version 3.0 (will work the same for versions prior to version 8.3)

Microsoft Windows 2003 server as the CA server for the scenario.

Since the ASA version in use is 8.2.x, we can enable Certificate Authentication for each tunnel group.

(Feature in ASA 8.2.x version, using pre-8.2.x ASA code, this will require to enable certificate authentication globally with the command

ssl certificate authentication interface <واجهة> outlet “).

In order to complete AnyConnect authentication using certificates, the AnyConnect client must obtain a valid certificate from the CA server, at

At the same time, the ASA must have the root CA certificate in order to properly validate the certificate of the connected client.

1-) Make sure you have AnyConnect image applied in your ASA firewall:

Configuration > Remote VPN Access > Network Access (Client) > AnyConnect Client Software

Click the “Add” button, and browse the flash for the appropriate image (optionally you can load the client from your local computer).

2-) Enable any connection in the external interface:

Configuration > VPN Remote Access > Network Access (Client) > AnyConnect Connection Profiles

Check the box “Enable Cisco AnyConnect VPN Client or Legacy SSL Client”

Then select the interface that AnyConnect clients will connect to (in this example, the external interface).

The “Allow user to select connection profile” check option will allow the AnyConnect user to select the group they will connect to.

3-) Create a new AnyConnect connection profile:

Configuration > VPN Remote Access > Network Access (Client) > AnyConnect Connection Profiles

Click the Add button, AnyConnect Connection Profile window will open.

Give the connection profile a name and optional group alias.

Click the Select button next to the Client Address Pools option.

The Select Address Pools window will appear.

Click the Add button to create a new address group.

4-) Create Group Policy:

Configuration > VPN Remote Access > Network Access (Client) > AnyConnect Connection Profiles

Click the Manage button next to the Group Policy option in the connection profile.

Click the Add button to create the new policy.

Name the policy (in this example “AnyConnect-Policy”) and check the boxes “Clientless SSL VPN” and “SSL VPN Client”, then click the OK button.

The AnyConnect group was created at this point.

5-) Install CA Certificate in ASA:

The CA certificate must be downloaded from the CA server and installed in the ASA.

Complete these steps to download the CA certificate from the CA server.

Perform the web login to the CA server of the CA server with the help of the credentials provided to the VPN server.

Click Download CA Certificate, Certificate Chain, or CRL to open the window,

as shown. Click the Base 64 radio button as encryption method, and click Download CA Certificate.

Save the CA certificate with the name certnew.cer to your computer.

Go to Configuration > Remote Access VPN > Manage Certificates > CA Certificates in the ASA firewall.

Click the “Add” button, the “Install Certificate” window will open.

Click the “Browse” button next to the “Install from file” option.

Browse to the location where you saved the CA certificate, select the CA certificate and click the “Install” button.

At this point, the CA certificate will be installed in the ASA fiwall and will be able to validate the connected users, the user certificate generated from the same CA server.

6-) Go back to the AnyConnect connection profiles and change the profile to use Certificate Authentication:

Configuration > VPN Remote Access > Network Access (Client) > AnyConnect Connection Profiles

Highlight the “AnyConnect-group” profile and click the Edit button.

“Edit AnyConnect Connection Profile” will open, then you will be able to select the authentication method to be “Certificate”

Click the OK button and then click Apply

(Remember to save the completed configuration)

7-) The next step will be to install the certificate into the AnyConnect client computer:

The user will need to log into the CA server with their credentials.

Once in the CA server, the user will need to click on the “Request a Certificate” option.

The user will want to select the “User Certificate” option.

At this point, the CA server will provide the user’s certificate to be installed.

Once the certificate is installed, the user will be able to connect the authenticated AnyConnect client to the pre-installed certificate

(You do not need to enter a username and password)

Below you will find what the configuration in the CLI should look like:

AnyConnect Local IP Pool Mask

AnyConect Group Policy – Internal Policy

AnyConect-Policy Group Policy Attributes

vpn-tunnel-svc-protocol webvpn

AnyConnect group tunnel type remote access group

General Features of AnyConnect Tunnel Group

AnyConnect address pool

AnyConect-policy default group policy

Tunnel webvpn theme group AnyConnect

Authentication Certificate

Enable group alias AnyConnect


Enable outside

svc0 disk image: /anyconnect-dart-win-2.5.6005-k9.pkg 1

enable svc

Enable Tunnel Group List

Cryptography California Trustpoint ASDM_TrustPoint0

deselect none

no usage id

recording station

Cryptography CA Authentication ASDM_TrustPoint0





BgoJkiaJk / IsZAEZFgVjcnRhYzEWMBQGCgmSJomT8ixkARkWBnZwbmxhYjEPMA0G


iCHElRUbgGAJgsf52AxlQLmeyMTSgS2I6 / hTCOmra5BkP4cUieSeWqnOAPYgGTj /


2CudXsbuC86LsFDTMkk2Y2UB / T1xUpf5TBX + uQDb7w4jIZs1DkpQBmE946lH8vyA

GHU6RdainLr / 44Sa0iPjzngMdssq0QlE / 8gYWr6HsAOvmKhf8RcokjqXEQ36JyAF

+ N/6sqoDTYl6jXg72PuoLO / zcmu8qbY + aRQGu5tlKXVemb9FyEKOuLe / Q4PirCz1










0rwZNFBC3GAnUCDCK3kJxyjvir + T2pcCVS5KLukhTcDtr5VBOrSGsFA + zJvqB7qS

dwAvh9tKjpdb6rQKM5bo7NKii7mU71WxK8 / wSupLMlNEZemvZcnaLKB2P5TGwJ0K



uv6hViCXnu0SaaWi2rjVqx8pUXD7O3jrH9jnBC71cUqzv + MBvJI3th9iMMA80Gno

Rl0Ipuf7dYk =


Hope this information is useful to you..

Don’t forget to share this post with friends !

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *



ITProPortal . Portal 👨‍💻 We live in a dynamic moment in terms of technology. Even criminals are becoming more technically savvy and are using...


Top 5 Free AV Packages – 👌 Bitdefender Antivirus Free Edition best interface Positives Works on Windows 7 and 8.1 Very easy to use...


Download antivirus for free. Best antivirus protection 👨‍💻 Protecting your identity, banking information and privacy Cybercriminals want your credit card details, passwords and other...


Avira Free Antivirus Review for Mac / Windows and Android are the most common targets for malware programmers, but that doesn’t mean macOS is...