cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
2722
Views
0
Helpful
3
Replies
jthullen
Beginner

AnyConnect 3.1 and Mac OS 10.8

We are having trouble getting Mac OS10.8 systems to connect via AnyConnect 3.1 clients. We have not tested with anything but the 3.1 client, and when I say trouble I do not mean it cannot connect, it just connects and throws up a cert error in the client. The message states "Security Warning: Untrusted VPN server certificate".. Then it states below that in the warning window the following: "Certificate not identified for this purpose". When we go to the VPN's URL in Safari, there are no cert errors at all, Only when we start the connection with AnyConnect client. We have not yet tested with the Windows version of this AnyConnect client, but we have 1K+ Windows clients running AnyConnect2.5.6005 that connect without issue.   We know the cert is valid so I am asking for help identifying why the AnyConnect 3.1 for Mac is throwing out this security warning for our test users. Any help would be greatly appreciated.                 

3 REPLIES 3
Marcin Latosiewicz
Cisco Employee

Most likely the certificate presented by gateway doesn't have correct KUs.

You will want to read this:

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect31/release/notes/anyconnect31rn.html#wp1049936

HTH,

M.

That is likely our issue. The cert is issued by Thawte, so I will have to research how I get the KU fields corrected.

Hi there

This is most likely due to:

CSCty61472 Bug Details

DOC: Anyconnect supports specific Extended Key Usage attributes in certs

Symptom:
When using certificates with the anyconnect client if the certificate installed on the ASA doesn't have the EKU attribute set to "server-authentication" then the anyconnect client will reject the ASA's certificate as invalid. Similarly the client's id certificate also needs to be "client-authentication" otherwise the ASA will reject it..

Conditions:
Use an id certificate on the ASA that has an EKU other than "server-authentication".
Use an id certificate on the client that has an EKU other than "client-authentication".

Workaround:
Generate a new ID certificate with the correct Extended Key Usage

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCty61472


CSCua89081 Bug Details

DOC: specific Extended Key Usage rqrd in client certs for some 3.0 vers.

Symptom:
When using certificates with the anyconnect client if the client certificate doesn't have an EKU defined or very specific EKUs then the connection will be rejected.

Conditions:
Use an id certificate on the client that doesn't have an EKU

Workaround:
1. Generate a new ID certificate with the correct Extended Key Usage.
or
2. define an explicit cert matching policy in the client profile.

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCua89081

Please verify your certificate and make sure it has valid EKU (Extended Key usage) and KU (key usage).

HTH.

Portu.

Please rate any helpful posts

      
Create
Recognize Your Peers
Polls
Which of these topics should we host an event in the Community?

Top Choice: ISE- Guest and Posture Troubleshooting (36%)

Content for Community-Ad