cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8471
Views
0
Helpful
8
Replies

AnyConnect iPad/iPhone - Cannot verify the identity of ...

Marek Tarnoci
Level 1
Level 1

Hello,

When I'm connecting to VPN from iPad/iPhone using certificates, I always get message:

                   Untrusted VPN Server! AnyConnect cannot verify the identity of XXXX. Would you like to continue anyway?

After confirmation message I'm connected, but server's certificate is not stored to AnyConnect certification store and message appears always when I'm connecting to VPN again. I would like to get rid this message.

More info:

I have got installed Cisco AnyConnect Secure Mobility Client version 3.0.0.9231 on iPad/iPhone and enabled authentication via Certificates. I have got installed certificate on client side and also on ASA and configured profile with authentication metod Certificate. I have installed CA certificate which issued ASA's certificate in my iPad/iPhone.

Any advice?

Thanks

Marek.

1 Accepted Solution

Accepted Solutions

Hi Marek,

I understand your question. Unfortunately at this point this is not possible, as the ASA does not support this feature. A software bug has been opened to solve it, but there is not ETA for the fix.

Here is the DDTS info.

CSCso70867 ASA doesn't support SAN attributes for the enrollment request

Symptom:

The ASA currently doesn't support SAN (subject alternative name) for the enrollment request.

Conditions:

Workaround:

The workaround would be to use OpenSSL to generate CSR and keys. Once the certificate is received from CA, it should be combined with the key in OpenSSL to create pkcs12 file. After the file is created, it should be imported into ASA.

I hope I have answered your question. Please dont forget to rate the answer if it helped you to solve your problem.

regards,

Itzcoatl

View solution in original post

8 Replies 8

Itzcoatl Espinosa
Cisco Employee
Cisco Employee

Hi Marek,

I am not sure if I completely understood. The ASA certificate was issued by a third party CA, or the ASA was its own CA?

If that is the case, From Anyconnect version 3.0 new security features were added which warns the user if the connection is using an "untrusted" server.

Anyconnect checks the EKU field on the certificate. Due to the fact that self signed certficates on the ASA can not generate this field, you will be getting this message until you get a third party certificate.

Please let me know if this is the issue.

regards,

Itzcoatl

Hi Itzcoatl,

Thanks for the answer.

The ASA certificate is issued by a third party CA, it is our Windows CA. For issue certicate was used default Web Server Template. Root CA certificate from this Win CA is installed on iPhone/iPad.

What should contain EKU field? I have there Server authentication.

Thanks

Regards

Marek.


Hi Marek,

I understand,  even if it is a CA certificate, it may not contain the EKU values (Enhanced Key Usage). You may follow this action plan:

Create a new certificate and  please be sure to include the IP address (x.x.x.x) as the Subject-Alternative-Name value.  That way you won't get a hostname/FQDN mismatch warning message. 

Dont forget to add the FQDN also.

Import the new cert on the mobile device cert store. This should work.

Please remember to rate this answer if it helped to solve your issue.

regards,

Itzcoatl

Hi Itzcoatl,

Thank you for answer! I get it work, but I have a question.

Let me summarise my steps first:

1.  Created a new certificate request, as shown below:

crypto ca trustpoint ASA-FW

        revocation-check none

        id-usage ssl-ipsec

        subject-name CN=FQDN_of_FW

        fqdn FQDN_of_FW         ! According cisco documentation this Specifies the FQDN (DNS name:) atribute to be used as the Subject Alternative Name.

        ip-address xxx.xxx.xxx.xxx  ! I guess, this should be also used as the atribute in Subject Alternative Name (IP:), but I’m not sure

        key pair my_key.key

enrollment terminal

crypto ca enroll ASA-FW noconfirm

I’ve issued this request by our Windows CA using Web Server Template. Checked, if certificate's Extension - Subject Alternative Name contains IP Address and FQDN.  It contains only FQDN (DNS Name), not IP Address atribute. But IP address is in Unstructured Address Field under Subject Name section (Also FQDN is in Unstructured Name Field).

It looks like:

Subject name:

Unstructured Address:xxx.xxx.xxx.xxx

Unstructured Name:FQDN_of_FW

Common Name:FQDN_of_FW

Extension Subject Alternative Name

Critical NO

DNS Name: FQDN_of_FW

With such generated certificate it's not working,  I get same message:

     Untrusted VPN Server! AnyConnect cannot verify the identity of XXXX. Would you like to continue anyway?

2. But I’ve cerated new certificate, where I configured Subject-name, FQDN and IP address  with same value - IP address of ASA.

crypto ca trustpoint ASA-FW

        revocation-check none

        id-usage ssl-ipsec

        subject-name CN=xxx.xxx.xxx.xxx

        fqdn xxx.xxx.xxx.xxx

        ip-address xxx.xxx.xxx.xxx

        key pair my_key.key

enrollment terminal

crypto ca enroll ASA-FW noconfirm

And issued this cert request by our Windows CA using Web Server Template.

Subject name:

Unstructured Address:xxx.xxx.xxx.xxx

Unstructured Name:xxx.xxx.xxx.xxx

Common Name:xxx.xxx.xxx.xxx

Extension Subject Alternative Name

Critical NO

DNS Name: xxx.xxx.xxx.xxx

With such generated certificate it works, I don’t getting error message anymore.

My question is: How to generate Certificate Requtest from ASA which will contain Extension with both atributes in - SAN => IP and DNS which will be used in Subject Alternative Name Extension field after issuing by CA and not only DNS Name?

Thanks

Regards

Marek.

Hi Marek,

I understand your question. Unfortunately at this point this is not possible, as the ASA does not support this feature. A software bug has been opened to solve it, but there is not ETA for the fix.

Here is the DDTS info.

CSCso70867 ASA doesn't support SAN attributes for the enrollment request

Symptom:

The ASA currently doesn't support SAN (subject alternative name) for the enrollment request.

Conditions:

Workaround:

The workaround would be to use OpenSSL to generate CSR and keys. Once the certificate is received from CA, it should be combined with the key in OpenSSL to create pkcs12 file. After the file is created, it should be imported into ASA.

I hope I have answered your question. Please dont forget to rate the answer if it helped you to solve your problem.

regards,

Itzcoatl

Hi Itzcoatl,

Using OpenSSL for generate CSR with the right SAN atributes and merging Private key with issued Certificate into pkcs12 file, import this file into ASA is right way how it works.

Thanks a lot for your help!

Regards

Marek.

Hi Marek,

I am glad it worked.

regards,

Itzcoatl Espinosa

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: