In this article, I will demonstrate how to configure a Cisco ASA for digital certificate-based authentication for remote access VPN users.
Prerequisites
- Admin access to the Cisco ASA
- Root CA and (if applicable) any sub-CA’s for your users that will connect remotely
- Users/devices with signed certificates
Demonstration
- ASAv 9.17(1)7
- Active Directory Domain
- AnyConnect client
We will first start by downloading the Root CA which has been used to sign certificates associated with our remote access users and their devices. Once downloaded, we will need to upload this to the ASA. In this demonstration, we will use ASDM to upload the certificate.
Log into your ASA and navigate to Configuration > Device Management > Certificate Management and select ‘CA Certificates’. Add your Root CA and any relevant subordinate CA’s to the ASA. In this demonstration, we won’t perform any certificate revocation checks but in a live environment, I would strongly recommend that you do.
Press ‘Install Certificate’ to add your root CA.

By default, the certificate will be accepted for IPsec and SSL client connections. If you want to change this, you can edit the certificate and select the necessary options from the ‘Advanced’ tab. In this demonstration, we will leave the options that are selected as default.

Now we will focus on the ASA VPN configuration.
Note: Your configuration may differ from the lab environment demonstration.
Navigate to Remote Access VPN > Network (Client) Access > AnyConnect Client Software. You will need to upload the relevant AnyConnect client images to your ASA so that when users connect for the first time, they can download AnyConnect before connecting to the VPN. In this demonstration, I’ve just uploaded one AnyConnect package.

Now select ‘AnyConnect Connection Profile’ and in this demonstration, we will create a new connection profile, specifically for certificate-based authentication.

Once complete, navigate to AnyConnect Client Profile. This is where we will create a client profile for users connecting to the VPN using certificates.
In the first step, give the profile a name and specify the group policy to which you want this profile to be used. The group policy will be the policy that matches the connection profile that was just configured for certificate-based authentication.

Once complete, press ‘OK’.
Now click ‘Edit’ to modify the parameters of the new profile that we’ve just created.
In this demonstration, we are using a Windows machine to connect to the VPN and therefore our demonstration will focus on setting related to Windows. If you have different operating systems connecting to the VPN then you will need to ensure that the relevant settings are configured too.
In ‘Part 1’, we will modify the Certificate store to check the machine certificate store. By default ‘All’ is selected and is usually ok if you don’t want granular control on which certificate store is being used.
We will also change the setting ‘Windows VPN Establishment’ to ‘AllowRemoteUsers’. This will allow remote users to connect.

Navigate to ‘Server List’ and add the hostname/IP address of your ASA’s interface that will be used to terminate VPN connections.

Once done, make sure you save your configuration changes.
Providing that you have all your certificate requirements in check, you should be able to test now. In the example below you can see that my demo machine has successfully connected and that the authentication method is Certificates. Note that some of the configurations such as IP addresses have been omitted.

ciscoasa# show vpn-sessiondb detail anyconnect
Session Type: AnyConnect Detailed
Username : <Unknown> Index : 21
Assigned IP : <Omitted> Public IP : <Omitted>
Protocol : AnyConnect-Parent SSL-Tunnel
License : AnyConnect Premium
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES-GCM-256
Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA384
Bytes Tx : 19783 Bytes Rx : 52201
Pkts Tx : 12 Pkts Rx : 448
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Group Policy : Certs Tunnel Group : CertificateAuth
Login Time : 13:07:21 UTC Fri Aug 19 2022
Duration : 0h:03m:20s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : c0a877020001500062ff8b09
Security Grp : none
AnyConnect-Parent Tunnels: 1
SSL-Tunnel Tunnels: 1
AnyConnect-Parent:
Tunnel ID : 21.1
Public IP : <Omitted>
Encryption : none Hashing : none
TCP Src Port : 56911 TCP Dst Port : 443
Auth Mode : Certificate
Idle Time Out: 30 Minutes Idle TO Left : 26 Minutes
Client OS : win
Client OS Ver: 10.0.19044
Client Type : AnyConnect
Client Ver : Cisco AnyConnect VPN Agent for Windows 4.9.05042
Bytes Tx : 11574 Bytes Rx : 219
Pkts Tx : 6 Pkts Rx : 0
Pkts Tx Drop : 0 Pkts Rx Drop : 0
SSL-Tunnel:
Tunnel ID : 21.2
Assigned IP : <Omitted> Public IP : <Omitted>
Encryption : AES-GCM-256 Hashing : SHA384
Ciphersuite : ECDHE-RSA-AES256-GCM-SHA384
Encapsulation: TLSv1.2 TCP Src Port : 56924
TCP Dst Port : 443 Auth Mode : Certificate
Idle Time Out: 30 Minutes Idle TO Left : 30 Minutes
Client OS : Windows
Client Type : SSL VPN Client
Client Ver : Cisco AnyConnect VPN Agent for Windows 4.9.05042
Bytes Tx : 8209 Bytes Rx : 53380
Pkts Tx : 6 Pkts Rx : 463
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Hi Guru 🙂
Thanks for this article. Can you also implement this with Cisco FMC/FTD and wildcard certificate? In this situation you have 2 certificates:
1) Wildcard certificate for users to access VPN from outside like vpn.example.com
2) User/Machine certificate issued and signed by internal Root-CA
How you are going to implement this kind of authentication?
Thanks.
Regards,
MC
Hey MC,
Thank you for reading,
I have not tried to configure a scenario like the one you’ve mentioned but I don’t see why it wouldn’t be possible. If you try this please let me know the outcome and vice versa.
I also found an article which may touch on some of the elements that you’ve mentioned here: https://community.cisco.com/t5/vpn/anyconnect-with-ftd-and-certificate-based-authentication/td-p/4446223