Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4954
Views
5
Helpful
1
Replies

Certificate authentication on High Sierra

Go to solution
ccubeman
Level 1
Level 1

‎07-06-2018 04:36 AM

I'm having a perplexing problem with certificate/AAA authentication on High Sierra.  AnyConnect chooses the correct certificate, but appears to have problem accessing the private key.  Sometimes.  If I delete the ~/.anyconnect file and force quit AnyConnect, I am able to connect with certificate.  If I then connect to a non-certificate connection, then reconnect to a certificate connection, I get certificate validation failures.

If I debug the connection on the head-end, when the failures occur, I never see the user certificate come into the ASA.  The device certificate is presented as normal.  When it works, i see the user certificate presented to the ASA.  This tells me the AnyConnect/High Sierra combo is not getting past validating the key.

I will note, this is not a certificate selection issue.  I do have <CertificateMatch> configured in the relevant profile.  Dart logs show the correct certificate is chosen, then it all goes downhill.

I have a case with Tac, and we'll see how that goes.

Here is the relevent snippet from the dart log showing the failure progression:

2018-07-05 08:43:07.371657-0400 0x7cbe2    Default     0x0                  77474  0    Cisco AnyConnect Secure Mobility Client: (libvpncommon.dylib) [com.cisco.anyconnect.vpn:acvpnui] Function: nextClientCert File: ../../vpn/Api/ConnectMgr.cpp Line: 6469 Subject Name: CN="xxxx, xxxx", emailAddress=xxxx@xxxx.com, OU=MULTI-ALLOWED Issuer Name : O="xxxxx, Inc.", CN="xxxxx. Standard Private CA - G2" Store : Mac Keychain User  (this is the correct certificate)

2018-07-05 08:43:07.374003-0400 0x7cbe2    Error       0x0                  77474  14   Cisco AnyConnect Secure Mobility Client: (libvpncommon.dylib) [com.cisco.anyconnect.vpn:acvpnui] Function: enumCertsFromExternalTokens File: ../../vpn/CommonCrypt/Certificates/MacCertStore.cpp Line: 322 SecItemCopyMatching returned no results (ret = -25300)

2018-07-05 08:43:07.381280-0400 0x7c2b8    Error       0x0                  77309  14   vpnagentd: (libvpncommon.dylib) [com.cisco.anyconnect.vpn:acvpnagent] Function: GetCertThumbprintFailureResponse File: ../../vpn/Common/TLV/UserAuthenticationTlv.cpp Line: 1333 Invoked Function: UserAuthenticationTlv::getStatusCode Return Code: -32440304 (0xFE110010) Description: TLV_ERROR_NO_ATTRIBUTE

2018-07-05 08:43:07.381473-0400 0x7c2b8    Error       0x0                  77309  14   vpnagentd: (libvpncommon.dylib) [com.cisco.anyconnect.vpn:acvpnagent] Function: getCertificateInfo File: ../../vpn/Common/TLV/UserAuthenticationTlv.cpp Line: 3522 Invoked Function: UserAuthenticationTlv::GetInfoByType Return Code: -32440304 (0xFE110010) Description: TLV_ERROR_NO_ATTRIBUTE

2018-07-05 08:43:07.382383-0400 0x7cbe2    Default     0x0                  77474  0    Cisco AnyConnect Secure Mobility Client: (libvpncommon.dylib) [com.cisco.anyconnect.vpn:acvpnui] Function: SignHash File: ../../vpn/CommonCrypt/Certificates/MacCertificate.cpp Line: 1409 SecKeyCreateSignature failed: Error occurred. Domain: NSOSStatusErrorDomain Code: 0xffffffffffff9d33Description: The operation couldn’t be completed. (OSStatus error -25293 - CSSM Exception: -2147416032 CSSMERR_CSP_OPERATION_AUTH_DENIED)

2018-07-05 08:43:07.382387-0400 0x7cbe2    Error       0x0                  77474  14   Cisco AnyConnect Secure Mobility Client: (libvpncommon.dylib) [com.cisco.anyconnect.vpn:acvpnui] Function: HashAndSignData File: ../../vpn/CommonCrypt/Certificates/Certificate.cpp Line: 281 Invoked Function: CCertificate::SignHash Return Code: -31391731 (0xFE21000D) Description: CERTIFICATE_ERROR_SIGN_FAILED

2018-07-05 08:43:07.382390-0400 0x7cbe2    Error       0x0                  77474  14   Cisco AnyConnect Secure Mobility Client: (libvpncommon.dylib) [com.cisco.anyconnect.vpn:acvpnui] Function: HashAndSignData File: ../../vpn/Api/CertObj.cpp Line: 545 Invoked Function: CCertificate::SignHash Return Code: -31391731 (0xFE21000D) Description: CERTIFICATE_ERROR_SIGN_FAILED

2018-07-05 08:43:07.382392-0400 0x7cbe2    Error       0x0                  77474  14   Cisco AnyConnect Secure Mobility Client: (libvpncommon.dylib) [com.cisco.anyconnect.vpn:acvpnui] Function: handleCertSigningRequest File: ../../vpn/Api/ConnectMgr.cpp Line: 13376 Invoked Function: CertObj::HashAndSignData Return Code: -31391731 (0xFE21000D) Description: CERTIFICATE_ERROR_SIGN_FAILED

2018-07-05 08:43:07.382564-0400 0x7c2b8    Error       0x0                  77309  14   vpnagentd: (libvpncommon.dylib) [com.cisco.anyconnect.vpn:acvpnagent] Function: SignDataCB File: ../../vpn/IPsec/EAPMgr.cpp Line: 773 Invoked Function: CCertIKEAdapter::SignData Return Code: -31391731 (0xFE21000D) Description: CERTIFICATE_ERROR_SIGN_FAILED

2018-07-05 08:43:07.394964-0400 0x7cbe2    Default     0x0                  77474  0    Cisco AnyConnect Secure Mobility Client: (libvpncommon.dylib) [com.cisco.anyconnect.vpn:acvpnui] Function: processResponseStringFromSG File: ../../vpn/Api/ConnectMgr.cpp Line: 11991 Client certificate requested by peer (via AggAuth)

2018-07-05 08:43:07.395350-0400 0x7c2b8    Error       0x0                  77309  14   vpnagentd: (libvpncommon.dylib) [com.cisco.anyconnect.vpn:acvpnagent] Function: getCertificateInfo File: ../../vpn/Common/TLV/UserAuthenticationTlv.cpp Line: 3522 Invoked Function: UserAuthenticationTlv::GetInfoByType Return Code: -32440304 (0xFE110010) Description: TLV_ERROR_NO_ATTRIBUTE

2018-07-05 08:43:07.395356-0400 0x7c2b8    Error       0x0                  77309  14   vpnagentd: (libvpncommon.dylib) [com.cisco.anyconnect.vpn:acvpnagent] Function: getAggAuthCertificateInfo File: ../../vpn/Common/TLV/UserAuthenticationTlv.cpp Line: 3837 Invoked Function: UserAuthenticationTlv::GetInfoByType Return Code: -32440304 (0xFE110010) Description: TLV_ERROR_NO_ATTRIBUTE

2018-07-05 08:43:07.404455-0400 0x7cbe2    Default     0x0                  77474  0    Cisco AnyConnect Secure Mobility Client: (libvpncommon.dylib) [com.cisco.anyconnect.vpn:acvpnui] The following error message was received from the secure gateway: Certificate Validation Failure

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ccubeman
Level 1
Level 1

‎07-24-2018 05:39 AM

This problem was a direct result of CSCvi49604.  Fixed by reverting to hostscan 4.6.00362.

View solution in original post

1 Reply 1

Go to solution
ccubeman
Level 1
Level 1

‎07-24-2018 05:39 AM

This problem was a direct result of CSCvi49604.  Fixed by reverting to hostscan 4.6.00362.

Customers Also Viewed These Support Documents