Received a question from a Firepower/FTD student/reader:
Say you have an ASA/FTD configured with AnyConnect certificate authentication and the trustpoint applied to the firewall for SSL services has a certificate issued by GoDaddy. Would this mean that any AnyConnect client that would present an identity certificate issued by GoDaddy would be able to pass the authentication on the firewall since the firewall trusts GoDaddy certs in this case?
Here is the answer, which created another issue/question:
If the ASA/FTD trusts GoDaddy, then it will trust the cert presented and signed by GoDaddy. As to VPN authentication, if you do not validate it against AD or MFA, it could pass…
That is interesting. Are you aware about any command/way to disable the authentication on a specific trustpoint?
The command to disable the authentication on the ASA for a specific trustpoint is “no validation-usage” and it is applicable under the trustpoint. If you issue that command under the trustpoint, the trustpoint would not try to validate the client cert all the way, and you get a Validation Certificate Failure on AnyConnect and the data is not forwarded.