CISCO ASA and AnyConnect certificates

We have a 'managed' firewall hosted by a major ISP (though you really wouldn't think it). We have access to it via ASDM to control our own VPN certificates and users. It is a 5510.

We basically manage one thing; the Local Certificate Authority. We add users, remove users and issue one time passwords for certificates. These are acquired via the AnyConnect which prompts you to get one and supply the details. Once done, you install the certificate and boom, vpn worky.

Now it has been almost a year since we deployed this, and certs are starting to expire, prompting users for a new one-time password to get a new certificate. I am having to do this manually, and have asked the ISP if there is any way this can be done, sort of like an auto-renewal. They've categorically said NO.

Please tell me this isn't so. The only way around this as far as I can see is to make the expiry days something huge, which can't be good for security.

I am not even sure the VPN configuration is correct either, however it works so I'm guessing it must be.

Anybody in the know with this sort of thing? Thanking ya.

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

rowelld

You'll need to generate a new CSR on the ASA to be used to acquire a new certificate. Once you get the new certificate you will add it as a new identify. You can then update VPN to use the new identify.

What version is the ASA running?

ASA 8.x Manually Install 3rd Party Vendor Certificates for use with WebVPN Configuration Example [Cisco ASA 5500-X Series Next-Generation Firewalls] - Cisco Systems

Magic Johnson

CSR?

8.2(5)

So it is possible then? I read the article but its a bit over my head!

colemic

I am glad we don't use those certificates on our AnyConnect. Just getting the damn thing to work right is hard enough. (mainly trying to implement restrictions, such as a certain background or current AV. When we turn those on, they fail security checks no matter what.)

Magic Johnson

colemic wrote: »

I am glad we don't use those certificates on our AnyConnect. Just getting the damn thing to work right is hard enough. (mainly trying to implement restrictions, such as a certain background or current AV. When we turn those on, they fail security checks no matter what.)

How do you do it mate?

colemic

Not sure what you mean - how do we do what? Implement restrictions? For that, we have Dynamic Access Policies... we has one for iPads, we put the UDID in, it works great. Until we add a rule for a desktop background or AV w/ current definitions, then it gets access denied. I can't figure out how to tell AnyConnect to differentiate between devices - that THIS rule (background) doesn't apply to THIS device (iPad), and vice versa... and anytime I have a rule for AV or background, it fails on a laptop no matter what.

Magic Johnson

colemic wrote: »

Not sure what you mean - how do we do what? Implement restrictions? For that, we have Dynamic Access Policies... we has one for iPads, we put the UDID in, it works great. Until we add a rule for a desktop background or AV w/ current definitions, then it gets access denied. I can't figure out how to tell AnyConnect to differentiate between devices - that THIS rule (background) doesn't apply to THIS device (iPad), and vice versa... and anytime I have a rule for AV or background, it fails on a laptop no matter what.

No, no you said you were glad you don't use those certificates on your AnyConnect. How do you implement it?

colemic

My bad.

We use network (client) access, and RSA tokens, so we don't have to issue certificates to each user. Actually I think they are there (on the device) but we don't issue them to specific users. I didn't set up the AnyConnect initially so I am not 100% sure.

Magic Johnson

colemic wrote: »

My bad. We use network (client) access, and RSA tokens, so we don't have to issue certificates to each user. Actually I think they are there (on the device) but we don't issue them to specific users. I didn't set up the AnyConnect initially so I am not 100% sure.

Ah right! Funnily enough we moved away from a CAG and RSA fobs for this solution but I didn't set it up either and am left picking up the pieces!

Also funnily enough, our ISP has now come back and said that auto-renewal of certificates IS possible, but I don't know what to believe any more!!