Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3100
Views
0
Helpful
3
Replies

AnyConnect 3.1 and Mac OS 10.8

jthullen
Level 1
Level 1

‎12-03-2012 07:42 AM - edited ‎02-21-2020 06:31 PM

We are having trouble getting Mac OS10.8 systems to connect via AnyConnect 3.1 clients. We have not tested with anything but the 3.1 client, and when I say trouble I do not mean it cannot connect, it just connects and throws up a cert error in the client. The message states "Security Warning: Untrusted VPN server certificate".. Then it states below that in the warning window the following: "Certificate not identified for this purpose". When we go to the VPN's URL in Safari, there are no cert errors at all, Only when we start the connection with AnyConnect client. We have not yet tested with the Windows version of this AnyConnect client, but we have 1K+ Windows clients running AnyConnect2.5.6005 that connect without issue.   We know the cert is valid so I am asking for help identifying why the AnyConnect 3.1 for Mac is throwing out this security warning for our test users. Any help would be greatly appreciated.                 

Labels:
0 Helpful
3 Replies 3

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎12-04-2012 01:00 AM

Most likely the certificate presented by gateway doesn't have correct KUs.

You will want to read this:

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect31/release/notes/anyconnect31rn.html#wp1049936

HTH,

M.

0 Helpful

jthullen
Level 1
Level 1
In response to Marcin Latosiewicz

‎12-04-2012 05:25 AM

That is likely our issue. The cert is issued by Thawte, so I will have to research how I get the KU fields corrected.

0 Helpful

Javier Portuguez
Level 9
Level 9

‎12-04-2012 06:07 AM

Hi there

This is most likely due to:

CSCty61472 Bug Details

DOC: Anyconnect supports specific Extended Key Usage attributes in certs

Symptom:
When using certificates with the anyconnect client if the certificate installed on the ASA doesn't have the EKU attribute set to "server-authentication" then the anyconnect client will reject the ASA's certificate as invalid. Similarly the client's id certificate also needs to be "client-authentication" otherwise the ASA will reject it..

Conditions:
Use an id certificate on the ASA that has an EKU other than "server-authentication".
Use an id certificate on the client that has an EKU other than "client-authentication".

Workaround:
Generate a new ID certificate with the correct Extended Key Usage

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCty61472


CSCua89081 Bug Details

DOC: specific Extended Key Usage rqrd in client certs for some 3.0 vers.

Symptom:
When using certificates with the anyconnect client if the client certificate doesn't have an EKU defined or very specific EKUs then the connection will be rejected.

Conditions:
Use an id certificate on the client that doesn't have an EKU

Workaround:
1. Generate a new ID certificate with the correct Extended Key Usage.
or
2. define an explicit cert matching policy in the client profile.

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCua89081

Please verify your certificate and make sure it has valid EKU (Extended Key usage) and KU (key usage).

HTH.

Portu.

Please rate any helpful posts

      
0 Helpful
Customers Also Viewed These Support Documents