07-06-2018 04:36 AM
I'm having a perplexing problem with certificate/AAA authentication on High Sierra. AnyConnect chooses the correct certificate, but appears to have problem accessing the private key. Sometimes. If I delete the ~/.anyconnect file and force quit AnyConnect, I am able to connect with certificate. If I then connect to a non-certificate connection, then reconnect to a certificate connection, I get certificate validation failures.
If I debug the connection on the head-end, when the failures occur, I never see the user certificate come into the ASA. The device certificate is presented as normal. When it works, i see the user certificate presented to the ASA. This tells me the AnyConnect/High Sierra combo is not getting past validating the key.
I will note, this is not a certificate selection issue. I do have <CertificateMatch> configured in the relevant profile. Dart logs show the correct certificate is chosen, then it all goes downhill.
I have a case with Tac, and we'll see how that goes.
Here is the relevent snippet from the dart log showing the failure progression:
2018-07-05 08:43:07.371657-0400 0x7cbe2 Default 0x0 77474 0 Cisco AnyConnect Secure Mobility Client: (libvpncommon.dylib) [com.cisco.anyconnect.vpn:acvpnui] Function: nextClientCert File: ../../vpn/Api/ConnectMgr.cpp Line: 6469 Subject Name: CN="xxxx, xxxx", emailAddress=xxxx@xxxx.com, OU=MULTI-ALLOWED Issuer Name : O="xxxxx, Inc.", CN="xxxxx. Standard Private CA - G2" Store : Mac Keychain User (this is the correct certificate)
2018-07-05 08:43:07.374003-0400 0x7cbe2 Error 0x0 77474 14 Cisco AnyConnect Secure Mobility Client: (libvpncommon.dylib) [com.cisco.anyconnect.vpn:acvpnui] Function: enumCertsFromExternalTokens File: ../../vpn/CommonCrypt/Certificates/MacCertStore.cpp Line: 322 SecItemCopyMatching returned no results (ret = -25300)
2018-07-05 08:43:07.381280-0400 0x7c2b8 Error 0x0 77309 14 vpnagentd: (libvpncommon.dylib) [com.cisco.anyconnect.vpn:acvpnagent] Function: GetCertThumbprintFailureResponse File: ../../vpn/Common/TLV/UserAuthenticationTlv.cpp Line: 1333 Invoked Function: UserAuthenticationTlv::getStatusCode Return Code: -32440304 (0xFE110010) Description: TLV_ERROR_NO_ATTRIBUTE
2018-07-05 08:43:07.381473-0400 0x7c2b8 Error 0x0 77309 14 vpnagentd: (libvpncommon.dylib) [com.cisco.anyconnect.vpn:acvpnagent] Function: getCertificateInfo File: ../../vpn/Common/TLV/UserAuthenticationTlv.cpp Line: 3522 Invoked Function: UserAuthenticationTlv::GetInfoByType Return Code: -32440304 (0xFE110010) Description: TLV_ERROR_NO_ATTRIBUTE
2018-07-05 08:43:07.382383-0400 0x7cbe2 Default 0x0 77474 0 Cisco AnyConnect Secure Mobility Client: (libvpncommon.dylib) [com.cisco.anyconnect.vpn:acvpnui] Function: SignHash File: ../../vpn/CommonCrypt/Certificates/MacCertificate.cpp Line: 1409 SecKeyCreateSignature failed: Error occurred. Domain: NSOSStatusErrorDomain Code: 0xffffffffffff9d33Description: The operation couldn’t be completed. (OSStatus error -25293 - CSSM Exception: -2147416032 CSSMERR_CSP_OPERATION_AUTH_DENIED)
2018-07-05 08:43:07.382387-0400 0x7cbe2 Error 0x0 77474 14 Cisco AnyConnect Secure Mobility Client: (libvpncommon.dylib) [com.cisco.anyconnect.vpn:acvpnui] Function: HashAndSignData File: ../../vpn/CommonCrypt/Certificates/Certificate.cpp Line: 281 Invoked Function: CCertificate::SignHash Return Code: -31391731 (0xFE21000D) Description: CERTIFICATE_ERROR_SIGN_FAILED
2018-07-05 08:43:07.382390-0400 0x7cbe2 Error 0x0 77474 14 Cisco AnyConnect Secure Mobility Client: (libvpncommon.dylib) [com.cisco.anyconnect.vpn:acvpnui] Function: HashAndSignData File: ../../vpn/Api/CertObj.cpp Line: 545 Invoked Function: CCertificate::SignHash Return Code: -31391731 (0xFE21000D) Description: CERTIFICATE_ERROR_SIGN_FAILED
2018-07-05 08:43:07.382392-0400 0x7cbe2 Error 0x0 77474 14 Cisco AnyConnect Secure Mobility Client: (libvpncommon.dylib) [com.cisco.anyconnect.vpn:acvpnui] Function: handleCertSigningRequest File: ../../vpn/Api/ConnectMgr.cpp Line: 13376 Invoked Function: CertObj::HashAndSignData Return Code: -31391731 (0xFE21000D) Description: CERTIFICATE_ERROR_SIGN_FAILED
2018-07-05 08:43:07.382564-0400 0x7c2b8 Error 0x0 77309 14 vpnagentd: (libvpncommon.dylib) [com.cisco.anyconnect.vpn:acvpnagent] Function: SignDataCB File: ../../vpn/IPsec/EAPMgr.cpp Line: 773 Invoked Function: CCertIKEAdapter::SignData Return Code: -31391731 (0xFE21000D) Description: CERTIFICATE_ERROR_SIGN_FAILED
2018-07-05 08:43:07.394964-0400 0x7cbe2 Default 0x0 77474 0 Cisco AnyConnect Secure Mobility Client: (libvpncommon.dylib) [com.cisco.anyconnect.vpn:acvpnui] Function: processResponseStringFromSG File: ../../vpn/Api/ConnectMgr.cpp Line: 11991 Client certificate requested by peer (via AggAuth)
2018-07-05 08:43:07.395350-0400 0x7c2b8 Error 0x0 77309 14 vpnagentd: (libvpncommon.dylib) [com.cisco.anyconnect.vpn:acvpnagent] Function: getCertificateInfo File: ../../vpn/Common/TLV/UserAuthenticationTlv.cpp Line: 3522 Invoked Function: UserAuthenticationTlv::GetInfoByType Return Code: -32440304 (0xFE110010) Description: TLV_ERROR_NO_ATTRIBUTE
2018-07-05 08:43:07.395356-0400 0x7c2b8 Error 0x0 77309 14 vpnagentd: (libvpncommon.dylib) [com.cisco.anyconnect.vpn:acvpnagent] Function: getAggAuthCertificateInfo File: ../../vpn/Common/TLV/UserAuthenticationTlv.cpp Line: 3837 Invoked Function: UserAuthenticationTlv::GetInfoByType Return Code: -32440304 (0xFE110010) Description: TLV_ERROR_NO_ATTRIBUTE
2018-07-05 08:43:07.404455-0400 0x7cbe2 Default 0x0 77474 0 Cisco AnyConnect Secure Mobility Client: (libvpncommon.dylib) [com.cisco.anyconnect.vpn:acvpnui] The following error message was received from the secure gateway: Certificate Validation Failure
Solved! Go to Solution.
07-24-2018 05:39 AM
This problem was a direct result of CSCvi49604. Fixed by reverting to hostscan 4.6.00362.
07-24-2018 05:39 AM
This problem was a direct result of CSCvi49604. Fixed by reverting to hostscan 4.6.00362.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: