Re: Anyconnect Cert Error

andypowernet85 · ‎03-13-2024

Morning,

We're experiencing an issue using DUO SSO with Cisco ASA / Anyconnect, and I wondered if anybody had seen a similar issue.

Initially we were using a self signed cert on the ASA, and then when trying to use DUO SSO via Anyconnect, the Anyconnect embedded browser rejected the cert. We then update the cert to a publically signed cert, and installed this and updated DNS records.

Now when logging in via Anyconnect, you are redirect to the DUO SSO Login, the authentication is accepted and the push is sent to the mobile. Upon completing the push, the embedded browser once again presents an invalid cert error.

I have run WIreshark during this process, and for whatever reason halfway through the capture, the client machine starts running DNS lookups for the previous FQDN we were using on the ASA (when we had self-signed). And also tries to use this FQDN in the SNI field during TLS handshake.

Has anyone seen anything similar?

Pulkit Mittal · ‎03-13-2024

Single Sign-On for Cisco ASA with AnyConnect | Duo Security

Go to above link, under section Configure AnyConnect Connection Profile

Step 11 and Step 12

Select Duo_Single_SignOn from the drop-down next to Identity Provider Certificate.

Select the SSL certificate used for the Cisco ASA itself from the drop-down next to Service Provider Certificate.

Make sure the right certificates are selected for IdP and SP.

If you find this useful, please mark it helpful and accept the solution.