Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4951
Views
5
Helpful
1
Replies

Certificate authentication on High Sierra

Go to solution
ccubeman
Level 1
Level 1

‎07-06-2018 04:36 AM

I'm having a perplexing problem with certificate/AAA authentication on High Sierra.  AnyConnect chooses the correct certificate, but appears to have problem accessing the private key.  Sometimes.  If I delete the ~/.anyconnect file and force quit AnyConnect, I am able to connect with certificate.  If I then connect to a non-certificate connection, then reconnect to a certificate connection, I get certificate validation failures.

If I debug the connection on the head-end, when the failures occur, I never see the user certificate come into the ASA.  The device certificate is presented as normal.  When it works, i see the user certificate presented to the ASA.  This tells me the AnyConnect/High Sierra combo is not getting past validating the key.

I will note, this is not a certificate selection issue.  I do have <CertificateMatch> configured in the relevant profile.  Dart logs show the correct certificate is chosen, then it all goes downhill.

I have a case with Tac, and we'll see how that goes.

Here is the relevent snippet from the dart log showing the failure progression:

2018-07-05 08:43:07.371657-0400 0x7cbe2    Default     0x0                  77474  0    Cisco AnyConnect Secure Mobility Client: (libvpncommon.dylib) [com.cisco.anyconnect.vpn:acvpnui] Function: nextClientCert File: ../../vpn/Api/ConnectMgr.cpp Line: 6469 Subject Name: CN="xxxx, xxxx", emailAddress=xxxx@xxxx.com, OU=MULTI-ALLOWED Issuer Name : O="xxxxx, Inc.", CN="xxxxx. Standard Private CA - G2" Store : Mac Keychain User  (this is the correct certificate)

2018-07-05 08:43:07.374003-0400 0x7cbe2    Error       0x0                  77474  14   Cisco AnyConnect Secure Mobility Client: (libvpncommon.dylib) [com.cisco.anyconnect.vpn:acvpnui] Function: enumCertsFromExternalTokens File: ../../vpn/CommonCrypt/Certificates/MacCertStore.cpp Line: 322 SecItemCopyMatching returned no results (ret = -25300)

2018-07-05 08:43:07.381280-0400 0x7c2b8    Error       0x0                  77309  14   vpnagentd: (libvpncommon.dylib) [com.cisco.anyconnect.vpn:acvpnagent] Function: GetCertThumbprintFailureResponse File: ../../vpn/Common/TLV/UserAuthenticationTlv.cpp Line: 1333 Invoked Function: UserAuthenticationTlv::getStatusCode Return Code: -32440304 (0xFE110010) Description: TLV_ERROR_NO_ATTRIBUTE

2018-07-05 08:43:07.381473-0400 0x7c2b8    Error       0x0                  77309  14   vpnagentd: (libvpncommon.dylib) [com.cisco.anyconnect.vpn:acvpnagent] Function: getCertificateInfo File: ../../vpn/Common/TLV/UserAuthenticationTlv.cpp Line: 3522 Invoked Function: UserAuthenticationTlv::GetInfoByType Return Code: -32440304 (0xFE110010) Description: TLV_ERROR_NO_ATTRIBUTE

2018-07-05 08:43:07.382383-0400 0x7cbe2    Default     0x0                  77474  0    Cisco AnyConnect Secure Mobility Client: (libvpncommon.dylib) [com.cisco.anyconnect.vpn:acvpnui] Function: SignHash File: ../../vpn/CommonCrypt/Certificates/MacCertificate.cpp Line: 1409 SecKeyCreateSignature failed: Error occurred. Domain: NSOSStatusErrorDomain Code: 0xffffffffffff9d33Description: The operation couldn’t be completed. (OSStatus error -25293 - CSSM Exception: -2147416032 CSSMERR_CSP_OPERATION_AUTH_DENIED)

2018-07-05 08:43:07.382387-0400 0x7cbe2    Error       0x0                  77474  14   Cisco AnyConnect Secure Mobility Client: (libvpncommon.dylib) [com.cisco.anyconnect.vpn:acvpnui] Function: HashAndSignData File: ../../vpn/CommonCrypt/Certificates/Certificate.cpp Line: 281 Invoked Function: CCertificate::SignHash Return Code: -31391731 (0xFE21000D) Description: CERTIFICATE_ERROR_SIGN_FAILED

2018-07-05 08:43:07.382390-0400 0x7cbe2    Error       0x0                  77474  14   Cisco AnyConnect Secure Mobility Client: (libvpncommon.dylib) [com.cisco.anyconnect.vpn:acvpnui] Function: HashAndSignData File: ../../vpn/Api/CertObj.cpp Line: 545 Invoked Function: CCertificate::SignHash Return Code: -31391731 (0xFE21000D) Description: CERTIFICATE_ERROR_SIGN_FAILED

2018-07-05 08:43:07.382392-0400 0x7cbe2    Error       0x0                  77474  14   Cisco AnyConnect Secure Mobility Client: (libvpncommon.dylib) [com.cisco.anyconnect.vpn:acvpnui] Function: handleCertSigningRequest File: ../../vpn/Api/ConnectMgr.cpp Line: 13376 Invoked Function: CertObj::HashAndSignData Return Code: -31391731 (0xFE21000D) Description: CERTIFICATE_ERROR_SIGN_FAILED

2018-07-05 08:43:07.382564-0400 0x7c2b8    Error       0x0                  77309  14   vpnagentd: (libvpncommon.dylib) [com.cisco.anyconnect.vpn:acvpnagent] Function: SignDataCB File: ../../vpn/IPsec/EAPMgr.cpp Line: 773 Invoked Function: CCertIKEAdapter::SignData Return Code: -31391731 (0xFE21000D) Description: CERTIFICATE_ERROR_SIGN_FAILED

2018-07-05 08:43:07.394964-0400 0x7cbe2    Default     0x0                  77474  0    Cisco AnyConnect Secure Mobility Client: (libvpncommon.dylib) [com.cisco.anyconnect.vpn:acvpnui] Function: processResponseStringFromSG File: ../../vpn/Api/ConnectMgr.cpp Line: 11991 Client certificate requested by peer (via AggAuth)

2018-07-05 08:43:07.395350-0400 0x7c2b8    Error       0x0                  77309  14   vpnagentd: (libvpncommon.dylib) [com.cisco.anyconnect.vpn:acvpnagent] Function: getCertificateInfo File: ../../vpn/Common/TLV/UserAuthenticationTlv.cpp Line: 3522 Invoked Function: UserAuthenticationTlv::GetInfoByType Return Code: -32440304 (0xFE110010) Description: TLV_ERROR_NO_ATTRIBUTE

2018-07-05 08:43:07.395356-0400 0x7c2b8    Error       0x0                  77309  14   vpnagentd: (libvpncommon.dylib) [com.cisco.anyconnect.vpn:acvpnagent] Function: getAggAuthCertificateInfo File: ../../vpn/Common/TLV/UserAuthenticationTlv.cpp Line: 3837 Invoked Function: UserAuthenticationTlv::GetInfoByType Return Code: -32440304 (0xFE110010) Description: TLV_ERROR_NO_ATTRIBUTE

2018-07-05 08:43:07.404455-0400 0x7cbe2    Default     0x0                  77474  0    Cisco AnyConnect Secure Mobility Client: (libvpncommon.dylib) [com.cisco.anyconnect.vpn:acvpnui] The following error message was received from the secure gateway: Certificate Validation Failure

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ccubeman
Level 1
Level 1

‎07-24-2018 05:39 AM

This problem was a direct result of CSCvi49604.  Fixed by reverting to hostscan 4.6.00362.

View solution in original post

1 Reply 1

Go to solution
ccubeman
Level 1
Level 1

‎07-24-2018 05:39 AM

This problem was a direct result of CSCvi49604.  Fixed by reverting to hostscan 4.6.00362.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents