01-31-2017 10:38 AM - edited 02-21-2020 09:08 PM
I am using macOS 10.12.3 and Cisco Anyconnect VPN client version 4.3.05017. I recently started getting the following error when attempting to connect to my work VPN server "no valid certificates available for authentication". My company issuing CA certificate and my User certificate both look fine in Keychain but it appears that the Cisco Anyconnect VPN client validate that I have the proper certificates.
What logs on the client side would be of interest to investigate?
How can I validate that the Cisco Anyconnet VPN can see and use my user certificate for authentication?
Any help would be most appreciated.
Thanks.
01-31-2017 11:04 AM
You should collect the DART bundle from your machine after a failed connection. The DART bundle picks all the relevant system logs from your machine in order to investigate this. The procedure to collect the info is here:
https://supportforums.cisco.com/document/12747756/how-collect-dart-bundle-anyconnect
A few more questions though. Was there a change on the headend after which you are seeing this issue? Are you the only one seeing this issue or are all other users connecting to the same headend?
Also, which keychain has your user certificate - Login or System? System keychain usually prompts for the admin credentials to access the cert.
01-31-2017 11:35 AM
I will grab a DART and look at the logs collected.
There was a change made by the VPN administrators (not my area) for enabling "Always On" I am being told. The VPN admins are telling me that the problem I am seeing is on the client side, not the server gateway side :-). That is why I am looking to gather some logs on the client side to verify where the issue lives if possible. I am thinking the problem is on the gateway side but I am blind to any configuration\changes there.
My user certificate is displayed in the System section of the keychain.
01-31-2017 12:14 PM
Did you see this after upgrading to version 4.3.05017? This version came out in December last year so it must not have been long since you have been upgraded. You could check with your VPN administrators to see if the VPN client upgrade corresponds with your failure.
Also, Always On itself should not cause this. But enabling always on requires a change in the client xml profile. There are sections in the XML profile for client cert matching. If you had any rules changed there, it would affect what certificate it looks for for client authentication. Just a thought.
01-31-2017 12:57 PM
I was trying 4.3.05017 as an attempt to fix this issue. I started seeing the issue when I was using 4.3.03086.
Can I delete all the .XML profiles from Client side? Will they get recreated went I start the VPN client and connect to the gateway device?
01-31-2017 01:04 PM
Yes you can as long as there are no pre-connection settings that are critical for connection (cert selection is one of them). The profile should be updated on a successful connection to the gateway. I would recommend just copying the profile off the folder so that you can re-apply it back if it does not work.
02-01-2017 05:15 AM
Is there a procedure for putting the CA and User certs in the ~/.cisco/certificates/ca and ~/.cisco/certificates/client directories?
I was thinking about trying that because it appears that Anyconnect cannot see the certs in the keychain (according to the system.log).
When I run "certtool y" I can see my company CA and my user certs.
02-01-2017 05:28 AM
You can directly copy over the files to the PEM store file locations. All the files should be named as .pem though. Also, do not forget to put the private key for your cert in " ~/.cisco/certificates/client/private". If you have your cert in the .p12 format, use openssl (natively installed in MAC OS) to extract the private key and pem certificate file. By default the Anyconnect looks at all certificate stores unless it is explicitly blocked by your administrator.
02-01-2017 06:49 AM
Okay, here is what I attempted..
I exported my user cert with private key to all.pfx from my Windows 7 machine and copied the file over to Mac.
On Mac:
# openssl pkcs12 -in all.pfx -nocerts -out ~/.cisco/certificate/client/private/private.pem -nodes
# openssl pkcs12 -in all.pfx -nokeys -out~/.cisco/certificate/client/cert.pem -nodes
I see the following Anyconnect error when I attempt to connect.
Feb 1 09:29:14 Cisco AnyConnect Secure Mobility Client[7389]: Function: enumerateCert File: ../../vpn/CommonCrypt/Certificates/FileCertStore.cpp Line: 193 Invoked Function: _tstat Return Code: 2 (0x00000002) Description: unknown missing private key for client cert file: /Users/archspangler/.cisco/certificates/client/cert.pem
Seems like something simple but I cannot figure it out.
02-01-2017 06:55 AM
Can you open the private key file in a notepad and see if you see a readable format? The private key might be encrypted.The key should show up like this:
-----BEGIN RSA PRIVATE KEY-----
MIIBOgIBAAJBAMSREjcq8SgzJmMcmObnMMHLYOdslNFwJImuMDG+L/ED5qOJ/oah
--
--
-----END RSA PRIVATE KEY-----
You may need to decrypt it using this command:
openssl rsa –in private.pem -out private_dec.pem
02-01-2017 07:15 AM
I see..
Bag Attributes
localKeyID: 01 00 00 00
Microsoft CSP Name: Microsoft Enhanced Cryptographic Provider v1.0
friendlyName: le-DefaultUserCertificate-e7e8b26a-1cb6-4a5f-8cc6-ad90ccd42249
Key Attributes
X509v3 Key Usage: 80
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEApHvZ62rqaH2HA9ynZo4gzRHKBRFDsY6OchSuNtvLWQBFmtWC
...
...
-----END RSA PRIVATE KEY-----
Do I need to remove the lines above the ----- BEGIN ?
02-01-2017 07:57 AM
Yes. Just keep the section from Begin to End Private Key (line included).
02-01-2017 07:59 AM
Okay.. I got past that by the following...
~/.cisco/certificates (the issuer cert in subdirectory /ca, the client cert in /client, the private key in /client/private). CA cert and client cert need to have .pem extention, private key needs to have same filename as client cert but with .key instead of .pem.
Same filename and .key was my issue.
I see in the logs now where anyconnect finds my user cert and CA.. but I am still getting the below error.
Feb 1 10:48:14 Cisco AnyConnect Secure Mobility Client[8789]: Function: processIfcData File: ../../vpn/Api/ConnectMgr.cpp Line: 3274 Certificate authentication requested from gateway, no valid certs found in users cert store.
Feb 1 10:48:14 Cisco AnyConnect Secure Mobility Client[8789]: Message type warning sent to the user: No valid certificates available for authentication.
02-01-2017 08:30 AM
What Key usage and Extended Key Usage parameters do you have on the user cert?
Also, can you attach a sanitized client xml profile from your MAC. Location should be the one below
/opt/cisco/anyconnect/profile
If you have multiple profiles, past all of them.
02-01-2017 08:49 AM
EKU:
Secure Email (1.3.6.1.5.5.7.3.4)
Client Authentication (1.3.6.1.5.5.7.3.2)
KU:
Digital Signature, Non-Repudiation (c0)
Let me clean up the profiles/*.xml and I will attach them.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide