cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6325
Views
4
Helpful
16
Replies

ACS - AnyConnect 3.0.5080 Network Access Manager (NAM) selecting wrong Certificate

Hi There,

We are successfully authenticating our Windows7 Wireless laptop users using Microsoft CA issued Machine Certificates to Cisco ACS Server v4.2 using EAP-TLS

However when AnyConnect 3.0.5080 is Installed and Network Access Manager (NAM) is running on the laptops NAM appears to be selecting details from the wrong certifcate for EAP-TLS authentication to ACS Server, it selects Username details from a Personal certificate on the users machine that is used by LYNC 2010 and does not use the Machine Certificate that is installed.

Attached is ACS logs that indicate this.

Will NAM always use details obtained from a Personal certificate in prefernce to a Machine certificate (if they both have the same domain name contained within them).

Anything specific I should be looking at.

Thanks in advance for any help.

1 Accepted Solution

Accepted Solutions

No problem Jim,

If you could please update this thread as you progress it will help a lot of customers in the future!

Thanks,

Tarik Admani
*Please rate helpful posts*

View solution in original post

16 Replies 16

Tarik Admani
VIP Alumni
VIP Alumni

Jim,

Can you check and see if the Lync cert is in the appropriate store? From what I understand machine authentication works if the lync cert isnt deployed. To check the cert stores follow this guide - http://msdn.microsoft.com/en-us/library/ms788967.aspx and for the computer account please make sure that only computer cert is there.

Thanks,

Tarik Admani
*Please rate helpful posts*

Hi Tarik,

Apology for delay in replying -

checked Laptop and only the Computer cert is in Local Computer account (under personal certificates),

the lync certificate is in  Personal certificates under Current User on same machine

Regards

Jim.

Jim,

Can you check the profile for you network and see if you are using both machine and user connection, it maybe that there isnt a user certificate installed so then anyconnect uses the machine cert to connect to the network, but once the lync certs were deployed then it gave anyconnect another certificate to authenticate with.

attached is the screenshot for the setting.

Tarik Admani
*Please rate helpful posts*

Hi Tarik,

Checked and profile set for Machine Connection (see attachment). For information Lync was deployed before AnyConnect with Nam was installed.

Regards

Jim.

Jim,

I wonder if you set the credentials to password based (PEAP) for machine authentication and see if you can get consistent machine authentication records. It doesnt make sense as to why Network Access Manager will look in the user certificate store when the profile is set to use the machine credentials. I think you should open a TAC case and make sure you arent hitting a bug.

Just out of curiosity which xml file did you open to see these settings?

Tarik Admani
*Please rate helpful posts*

Tarik,

Back in office tomorrow at this time and will give PEAP a try.  Will post update once I have tried

xml file was configuration.xml at following location;

C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Network Access Manager\system

Jim.

Hi Tarik,

I tried User authentication using password based PEAP as suggested and that works fine  - but is not what we want.

Thought we had run into the bug "CSCtr97908 Machine Authentication with 2008 AD cert template fails" so upgraded to AnyConnect V 3.1.00495 which resolves this -however we are still having issues with NAM picking user certificates over machine certificates.

I removed all User Certificates from "Certificates-Current User" and AnyConnect/NAM cannot find any valid certificates (even though Machiune certifcate still present in "Certificates-(local Computer)"

I then went through the AnyConnet/NAM logs and on our wireless connection can see EAP ID request and NAM then searching for valid User Certificates (does not look for machine certificates) - would it be related in any way to EAP ID request from the Wireless infrastructure

Jim,

I was referring to the machine authentication. Please set that to password based authentication, so we can force the supplicant to pull the machine credentials using PEAP.

Before doing this do you have the DART package installed on this machine? If so, can you please run the DART utility after you attempt another machine connection using certificates.

You can attach the dart bundle here or let me know where I can download it through a private message.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik,

Attached are NAM logs covering the following test(s);

Wireless was disabled then Enabled

NAM 802.1X Configuration     pasword PEAP           - logged on with user details when prompted

NAM 802.1x Configuration     certificate EAP-TLS     - authentication fails

Jim.

I am going to look through the logs, it still confuses me as to why anyconnect is prompting the user for credentials when you have only selected machine authentication (those credentials are set by the domain controller dynamically and the username is the machine accountname).

Thanks,

Tarik Admani
*Please rate helpful posts*

Jim,

Instead of bouncing the wireless adapter did you select repair from the anyconnect supplicant? Usually that will force an update (or reboot would be even better).

Can you post the screenshot of the machine and user certificates, i would like to see the details (common name, issued to and issued by, along with eku) also can you take a screenshot of the certificate path.

Just to recap this works fine but when you deployed the user certs this is where it started to prefer the user over the machine?

I think you are hitting the follow bug which shows to be fixed in the version you just upgraded:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCty62737&from=summary

NAM may pick the wrong CA cert if 2 CA certs have the same public key
Symptom:
When using AnyConnect NAM, Certificate authentication fails.
The AAA server may complain about incorrect information received during the TLS handshake

Conditions:
A  new machine/user and CA cert was installed and the subject-name of the  CA cert is identical to a previous CA cert still installed on that  machine.

Workaround:
Remove older CA certs with the same name (you may be able to put them back after the fact).
Avoid name clashes in the CA subject name (if you issue a new CA cert, give it a different subject name)

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik,

Just to confirm it has never worked with Machine Certificates even when we have removed the  LYNC user certificate.

Regards

Jim.

Jim,

By any chance is your CA using elliptical curve cryptography? I know there was an issue on this when I was working in TAC and that it wasn't supported before. I dont know if that has changed but I wanted to circle around to the bug that you referenced and think that is the candidate as to why the certificate isnt being detected. However, i think your best move now is to open a tac case and provide the same logs and they will get you taken care of.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik,

Thanks for all your help - will raise a Tac case

Regards

Jim.