We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is Why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 557 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)


315 New Members signed up the last 30 days!


100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: , ,

Notable Replies

  1. Hi Hector,

    It's not mandatory, you could configure the local CA first. The configuration for anyconnect is pretty much the same so that's why I referred to the previous example.

    The certificate that we exported to the computer and then back to the ASA is something you only have to do once...the ASA will present this certificate to the user so that the user can authenticate the ASA.

    User certificates are easier to enroll. They can fetch it using their webbrowser.


  2. sims says:

    Hi Rene

    "Cisco ASA Anyconnect Local CA" Means ASA act like a CA?
    I don't want a group(In your example SSL_USERS) means users does not have a choice to select group from the combo box called groups . I think if I don't need the groups I really dont'need this part " tunnel-group MY_TUNNEL webvpn-attributes " .

    In that case how do I enable double auth like username (ldap ) and certificate .

    If I am using a self signed certificate double authentication is part is same ? .How do i generate certificate for the end users if i am using a self signed certificate in asa ?


  3. Hi Sims,

    That's right, the ASA is the CA that creates certificates here. Although it works, I think it's a better idea to use an external CA for your certificates.

    The following command allows users to select a group:

    ASA1(config)# webvpn
    ASA1(config-webvpn)# tunnel-group-list enable

    If you remove it, users shouldn't be able to get that option anymore.


  4. Hey Rene,

    I am using unetlab to do this lab ASA 8.4, This lab is the only one that is not fully working. I get the certificate prompt to use my certificate but once i click okay, internet explorer goes to "page cannot be displayed". I am using win7 - 32 bit image and IE8. I have imported all the proper certificates, following your example.

  5. sims says:

    What is the differnece in implemenation If we use an external or internal ca rather than making ASA as CA

Continue the discussion forum.networklessons.com

1 more reply