12-08-2013 02:02 AM - edited 02-21-2020 07:22 PM
Hello,
When I'm connecting to VPN from iPad/iPhone using certificates, I always get message:
Untrusted VPN Server! AnyConnect cannot verify the identity of XXXX. Would you like to continue anyway?
After confirmation message I'm connected, but server's certificate is not stored to AnyConnect certification store and message appears always when I'm connecting to VPN again. I would like to get rid this message.
More info:
I have got installed Cisco AnyConnect Secure Mobility Client version 3.0.0.9231 on iPad/iPhone and enabled authentication via Certificates. I have got installed certificate on client side and also on ASA and configured profile with authentication metod Certificate. I have installed CA certificate which issued ASA's certificate in my iPad/iPhone.
Any advice?
Thanks
Marek.
Solved! Go to Solution.
12-13-2013 12:28 PM
Hi Marek,
I understand your question. Unfortunately at this point this is not possible, as the ASA does not support this feature. A software bug has been opened to solve it, but there is not ETA for the fix.
Here is the DDTS info.
CSCso70867 ASA doesn't support SAN attributes for the enrollment request
Symptom:
The ASA currently doesn't support SAN (subject alternative name) for the enrollment request.
Conditions:
Workaround:
The workaround would be to use OpenSSL to generate CSR and keys. Once the certificate is received from CA, it should be combined with the key in OpenSSL to create pkcs12 file. After the file is created, it should be imported into ASA.
I hope I have answered your question. Please dont forget to rate the answer if it helped you to solve your problem.
regards,
Itzcoatl
12-11-2013 11:41 AM
Hi Marek,
I am not sure if I completely understood. The ASA certificate was issued by a third party CA, or the ASA was its own CA?
If that is the case, From Anyconnect version 3.0 new security features were added which warns the user if the connection is using an "untrusted" server.
Anyconnect checks the EKU field on the certificate. Due to the fact that self signed certficates on the ASA can not generate this field, you will be getting this message until you get a third party certificate.
Please let me know if this is the issue.
regards,
Itzcoatl
12-12-2013 07:17 AM
Hi Itzcoatl,
Thanks for the answer.
The ASA certificate is issued by a third party CA, it is our Windows CA. For issue certicate was used default Web Server Template. Root CA certificate from this Win CA is installed on iPhone/iPad.
What should contain EKU field? I have there Server authentication.
Thanks
Regards
Marek.
12-12-2013 12:25 PM
Hi Marek,
I understand, even if it is a CA certificate, it may not contain the EKU values (Enhanced Key Usage). You may follow this action plan:
Create a new certificate and please be sure to include the IP address (x.x.x.x) as the Subject-Alternative-Name value. That way you won't get a hostname/FQDN mismatch warning message.
Dont forget to add the FQDN also.
Import the new cert on the mobile device cert store. This should work.
Please remember to rate this answer if it helped to solve your issue.
regards,
Itzcoatl
12-12-2013 12:32 PM
HI ,
Here is more information about the behavior.
regards,
12-13-2013 05:55 AM
Hi Itzcoatl,
Thank you for answer! I get it work, but I have a question.
Let me summarise my steps first:
1. Created a new certificate request, as shown below:
crypto ca trustpoint ASA-FW
revocation-check none
id-usage ssl-ipsec
subject-name CN=FQDN_of_FW
fqdn FQDN_of_FW ! According cisco documentation this Specifies the FQDN (DNS name:) atribute to be used as the Subject Alternative Name.
ip-address xxx.xxx.xxx.xxx ! I guess, this should be also used as the atribute in Subject Alternative Name (IP:), but I’m not sure
key pair my_key.key
enrollment terminal
crypto ca enroll ASA-FW noconfirm
I’ve issued this request by our Windows CA using Web Server Template. Checked, if certificate's Extension - Subject Alternative Name contains IP Address and FQDN. It contains only FQDN (DNS Name), not IP Address atribute. But IP address is in Unstructured Address Field under Subject Name section (Also FQDN is in Unstructured Name Field).
It looks like:
Subject name:
Unstructured Address:xxx.xxx.xxx.xxx
Unstructured Name:FQDN_of_FW
Common Name:FQDN_of_FW
Extension Subject Alternative Name
Critical NO
DNS Name: FQDN_of_FW
With such generated certificate it's not working, I get same message:
Untrusted VPN Server! AnyConnect cannot verify the identity of XXXX. Would you like to continue anyway?
2. But I’ve cerated new certificate, where I configured Subject-name, FQDN and IP address with same value - IP address of ASA.
crypto ca trustpoint ASA-FW
revocation-check none
id-usage ssl-ipsec
subject-name CN=xxx.xxx.xxx.xxx
fqdn xxx.xxx.xxx.xxx
ip-address xxx.xxx.xxx.xxx
key pair my_key.key
enrollment terminal
crypto ca enroll ASA-FW noconfirm
And issued this cert request by our Windows CA using Web Server Template.
Subject name:
Unstructured Address:xxx.xxx.xxx.xxx
Unstructured Name:xxx.xxx.xxx.xxx
Common Name:xxx.xxx.xxx.xxx
Extension Subject Alternative Name
Critical NO
DNS Name: xxx.xxx.xxx.xxx
With such generated certificate it works, I don’t getting error message anymore.
My question is: How to generate Certificate Requtest from ASA which will contain Extension with both atributes in - SAN => IP and DNS which will be used in Subject Alternative Name Extension field after issuing by CA and not only DNS Name?
Thanks
Regards
Marek.
12-13-2013 12:28 PM
Hi Marek,
I understand your question. Unfortunately at this point this is not possible, as the ASA does not support this feature. A software bug has been opened to solve it, but there is not ETA for the fix.
Here is the DDTS info.
CSCso70867 ASA doesn't support SAN attributes for the enrollment request
Symptom:
The ASA currently doesn't support SAN (subject alternative name) for the enrollment request.
Conditions:
Workaround:
The workaround would be to use OpenSSL to generate CSR and keys. Once the certificate is received from CA, it should be combined with the key in OpenSSL to create pkcs12 file. After the file is created, it should be imported into ASA.
I hope I have answered your question. Please dont forget to rate the answer if it helped you to solve your problem.
regards,
Itzcoatl
12-14-2013 07:53 AM
Hi Itzcoatl,
Using OpenSSL for generate CSR with the right SAN atributes and merging Private key with issued Certificate into pkcs12 file, import this file into ASA is right way how it works.
Thanks a lot for your help!
Regards
Marek.
12-16-2013 09:52 AM
Hi Marek,
I am glad it worked.
regards,
Itzcoatl Espinosa
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: