Configure Workspace ONE UEM so that managed Apple and select Android devices can connect to an enterprise network through Cisco AnyConnect using a certificate for authentication.

Certificate authentication is handled from the point where the user's device enrolls into Workspace ONE UEM to when the user has VPN access to the protected enterprise network.
  1. After the device enrolls, Workspace ONE UEM sends the device a profile that contains the user's identity certificate and Cisco AnnyConnect configuration settings.
  2. When the device uses VPN, the device sends the identity certificate to ASA's VPN endpoint for authentication.
  3. ASA verifies that the device identity certificate came from the same CA as its own identity certificate and both were signed with the CA's certificate.
  4. Optionally, if CRL Checking is enabled, the ASA regularly receives, parses, and caches the CA's CRL to validate the device identity certificate has not been revoked.
  5. ASA grants the device VPN access. The device can now securely access internal enterprise resources.

Prerequisites

The following tasks must be completed before configuring certificate integration.

  • Set up an external CA server. The CA must be an external Enterprise CA as opposed to a standalone CA. Standalone CAs do not allow for the configuration and customization of templates.
  • For AnyConnect VPN, you must have a Cisco Adaptive Security Appliance (ASA) connected to your network.

Procedure

  1. Disable the local CA on the ASA firewall for AnyConnect.

    Disabling the local CA ensures that certificates are authenticated against the external CA.

    1. Log in to the Cisco Adaptive Security Device Manager (ASDM) to configure your ASA firewall.
    2. Navigate to Configuration > Remote Access VPN > Certificate Management > Local Certificate Authority > CA Server.
    3. Select Disable.
    4. Select OK.
  2. Configure the ASA firewall and AnyConnect clients with a signed identity certificate.
    1. Create a CSR on the ASA firewall and send it to the external CA. The ASA needs an Identity Certificate signed by the external CA. For assistance, follow Cisco’s instructions for Generating a CSR on the ASA firewall.
      After you complete all the steps, a *CER file (for example, cert_client_id.cer) downloads to your local machine that was obtained from the external CA.
    2. Download the certificate from the external CA and install it on the ASA firewall to authenticate that the external CA is a trusted source. For assistance, follow Cisco’s instructions on how to install the external CA’s certificate.
    3. Install the Identity Certificate that you previously downloaded from the external CA.

      This certificate is used to verify that the Identity Certificate users authenticate with the same parameters and are coming from the same external CA as the Identity Certificate on the ASA firewall. For assistance, follow Cisco’s instructions on how to install ASA’s Identity Certificate. After completing these steps, the Identity Certificate that the external CA created is now installed on your ASA firewall.

    4. Configure the VPN settings on the ASA. To begin, you must enable AnyConnect access on the appropriate VPN interface. Follow instructions on the Cisco Web site on how to enable the AnyConnect client access to the ASA.
    5. Specify the group policy that is applied to AnyConnect clients and devices that connect to SSL VPN through the ASA firewall. Follow instructions on the Cisco Web site on how to create a SSL VPN Group Policy that is used by the ASA firewall.
    6. Set up the connection profile and tunnel group to define the connection parameters of the SSL VPN session used by AnyConnect clients. For assistance, follow instructions on the Cisco Web site.

      While creating a connection profile and tunnel group on the ASA for SSL VPN clients, a screen similar to the image here appears so that you can configure the PublicCertVPN SSL VPN Connection Profile. When this screen appears, make sure that you select Certificate instead of AAA authentication.

  3. Automate the deployment process of Identity Certificates and VPN settings to each device in Workspace ONE UEM console.

    Integrate Workspace ONE UEM with the external CA so that Workspace ONE UEM can request and deploy Identity Certificates. Configure the CA and then the request template in Workspace ONE UEM console.

    1. Configure the certificate authority (CA).
      1. Log in to the Workspace ONE UEM console as an Administrator.
      2. Navigate to Devices > Certificates > Certificate Authorities > Certificate Authorities tab.
      3. Select Add and complete the menu items.
        Setting Description
        Authority Type Microsoft ADCS
        Protocol ADCS

        If you select SCEP, then there are different text boxes and selections available not covered by this documentation.

        Server Hostname Enter the host name of the CA server.
        Authority Name Enter the actual CA name.

        This value is the name of the CA to which the AD CS endpoint is connected. This value can be found by launching the Certification Authority application on the CA server.

        Authentication Service Account causes the device user to enter credentials. Self-Service Portal authenticates the device without the user having to enter their credentials.
        User name This value is the user name of the AD CS Admin Account which has sufficient access to allow Workspace ONE UEM to request and issue certificates.
        Password This value is the password of the AD CS Admin Account which has sufficient access to allow Workspace ONE UEM to request and issue certificates.
        Additional Options None
      4. Select Save. Next,
    2. Configure the request template.
      Enter information about the Identity Certificate template that Workspace ONE UEM deploys to devices for VPN certificate authentication.
      1. Navigate to Devices > Certificates > Certificate Authorities and select the Request Template tab.
      2. Select Add.
      3. Complete the certificate template information.
        Setting Description
        Certificate Authority Select the certificate authority that was just created from the certificate authority drop-down menu.
        Subject Name Enter the Subject Name or Distinguished Name (DN) for the template.

        The text entered in this text box is the Subject of the certificate, which a network administrator can use to determine who or what device received the certificate.

        A typical entry in this text box is CN=WorkspaceONEUEM.{EnrollmentUser} or CN={DeviceUid} where the {} entries are Workspace ONE UEM lookup values.

        Private Key Length This value is typically 2048 but must match the certificate template used by the external CA.
        Private Key Type Select the types that match the certificate template used by the external CA.
        SAN Type Include one or more Subject Alternate Names with the template. This value is used for extra unique certificate identification. Usually, this value needs to match the certificate template on the server.

        Use the drop-down menu to select the SAN Type and enter the subject alternate name in the corresponding data entry text box. Each text box supports lookup values.

        Automatic Certificate Renewal Has certificates using this template automatically renewed before their expiration date. If enabled, specify the Auto Renewal Period in days.
        Enable Certificate Revocation Has certificates automatically revoked when applicable devices are unenrolled or deleted, or if the applicable profile is removed.
        Publish Private Key Select to publish the private key to the specified Web service endpoint (directory services or custom Web service).
      4. Select Save.
  4. Deploy a device profile from Workspace ONE UEM console with AnyConnect VPN and Certificate payloads to devices.

    This device profile deploys an Identity Certificate and AnyConnect VPN settings to configure all assigned devices.

    1. Navigate to Devices > Profiles > List View from the Workspace ONE UEM console main menu.
    2. Select Add.
    3. Select the applicable device platform to open the Add a New Profile screen.
    4. Configure the General settings for the profile. The General settings determine how the profile is deployed and who receives it and other overall settings.
    5. Select Credentials from the profile options at left and then select Configure.
    6. Select Defined Certificate Authority from the Credential Source drop-down menu.
    7. Select the external CA created previously from the Certificate Authority drop-down menu.
    8. Select the certificate template created previously from the Certificate Template drop-down menu.
    9. Select VPN from the profile options at left and then select Configure.

      Credentials profile settings must be configured before the VPN profile settings because the VPN configuration refers to the Credential that was created in the previous step. Also, some of the configuration settings described here are not applicable to all device platforms.

    10. Configure the following VPN profile settings.
      Setting Description
      Connection Type Cisco AnyConnect
      Connection Name Enter a name that helps identify this specific VPN.
      Server Enter the URL that users connect to for establishing their VPN connection.
      Account If your VPN has been configured to apply user credentials in addition to a certificate for authentication, then specify an account to pass to the VPN endpoint. To pass Workspace ONE UEM User Account names to the VPN endpoint, use the {EnrollmentUser} lookup value.
      Send All Traffic To send all device traffic through the VPN connections, select this check box.

      Alternatively, only traffic destined for the internal enterprise network uses the VPN connection, and public traffic continues to use 3G or other external connections to communicate.

      User Authentication Certificate
      Group Name AnyConnect VPN group name used to establish the connection.
      Identity Certificate Select the credential configured for the certificate.
    11. Select Save or Save & Publish to push the profile to a device.
  5. Deploy the AnyConnect app to devices managed in Workspace ONE UEM console.
    This deployment can be completed manually, by asking each device user to download the application from the App Store, or you can use Workspace ONE UEM to prompt each user to install the Cisco AnyConnect app.
    1. Navigate to Apps & Books > Applications > Native.
    2. Select the Public tab.
    3. Select Add Application.
    4. Ensure that the correct organization group is displayed in the Managed By text box.
    5. Select the appropriate platform from the Platform drop-down menu.
    6. Enter Cisco AnyConnect in the Name text box.
    7. Select Next.
    8. Locate Cisco AnyConnect in the Search window.
      Please note that Cisco Legacy AnyConnect represents all versions up to 4.0.05069 and that Cisco AnyConnect represents all versions afterward. Ensure you select the correct version for your needs by clicking the appropriate Select button.
    9. All required configuration settings populate automatically in the Add Application window. Specify any additional parameters.
    10. Select Save & Publish.

What to do next

Review some tips and troubleshooting steps to help with the integration.
  • You can confirm that the VPN certificate is operational by pushing a profile to the device. Then, test whether or not the device can connect and sync to the configured ASA firewall.
  • If the device is not connecting, it may show a message that the certificate cannot be authenticated or the account cannot connect to the ASA firewall. In this case, there is a problem in the configuration.
  • Make sure that a certificate is issued by the external CA to the device by checking the following information:
    • Go to the external CA’s server, start the certification authority application, and browse to the “issued certificates” section.
    • Find the last certificate that was issued. Ensure it has a subject that matches the one created in the certificate template section earlier in this documentation.

      If there is no certificate, then there is an issue with the external CA, client access server (for example, ADCS), or with the Workspace ONE UEM connection to the client access server.

    • Check that the permissions of the client access server (for example, ADCS) Admin Account are applied correctly to the external CA and the template on the external CA.
    • Check that the account information is entered correctly in the Workspace ONE UEM configuration.
  • If the certificate is being issued, make sure that it is in the Profile payload and on the device.
    • Navigate to Devices > Profiles > List View. In the Device Profiles screen for the user’s device, select Actions and then, select </ > View XML to view the profile XML. There is certificate information that appears as a large section of text in the payload.
    • On the device, go to the profiles list, select details, and see if the certificate is present.
  • If the certificate is on the device and contains the correct information, then the problem is most likely with the security settings on the ASA firewall.

    Confirm that the address of the VPN endpoint is correct in the Workspace ONE UEM profile. Also confirm that all the security settings have been adjusted for allowing certificate authentication on the firewall.

  • A good test to run is to configure a single device to connect to AnyConnect VPN using certificate authentication. Ensure this test works outside of Workspace ONE UEM, as until this works properly, Workspace ONE UEM is not able to configure a device to connect to AnyConnect VPN with a certificate.