Cisco Firepower/FTD AnyConnect Validation Certificate Failure – How to disable the AnyConnect certificate authentication on a specific Trustpoint

2

Received a question from a Firepower/FTD student/reader:

Say you have an ASA/FTD configured with AnyConnect certificate authentication and the trustpoint applied to the firewall for SSL services has a certificate issued by GoDaddy. Would this mean that any AnyConnect client that would present an identity certificate issued by GoDaddy would be able to pass the authentication on the firewall since the firewall trusts GoDaddy certs in this case?

Here is the answer, which created another issue/question:

If the ASA/FTD trusts GoDaddy, then it will trust the cert presented and signed by GoDaddy. As to VPN authentication, if you do not validate it against AD or MFA, it could pass…

New question:

That is interesting. Are you aware about any command/way to disable the authentication on a specific trustpoint?

 ANSWER:

The command to disable the authentication on the ASA for a specific trustpoint is “no validation-usage” and it is applicable under the trustpoint. If you issue that command under the trustpoint, the trustpoint would not try to validate the client cert all the way, and you get a Validation Certificate Failure on AnyConnect and the data is not forwarded.

using FlexConfig, add this object:
crypto ca trustpoint TODD
   no validation-usage

2 Comments

  1. And what about the equivalent in FTD/FMC? Do I have to do this by using Flexconfig? Or is there another way? This isn’t very well documented.
    Best regards
    Uwe

    1. Hi Uwe, this is a work in progress and I didn’t mean to publish it yet. It was an issue I had that I wanted to document, so I’ll be doing an update with the needed information later today…but yes, you can only implement this with FlexConfig for FTD

Leave a Reply

Your email address will not be published. Required fields are marked *