Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
40483
Views
0
Helpful
29
Replies

Anyconnect 4.3.05017 "no valid certificates available for authentication" Mac OS 10.12.3

archspangler
Level 1
Level 1

‎01-31-2017 10:38 AM - edited ‎02-21-2020 09:08 PM

I am using macOS 10.12.3 and Cisco Anyconnect VPN client version 4.3.05017.   I recently started getting the following error when attempting to connect to my work VPN server  "no valid certificates available for authentication".   My company issuing CA certificate and my User certificate both look fine in Keychain but it appears that the Cisco Anyconnect VPN client validate that I have the proper certificates.  

What logs on the client side would be of interest to investigate?

How can I validate that the Cisco Anyconnet VPN can see and use my user certificate for authentication?

Any help would be most appreciated.

Thanks.

3 people had this problem
Labels:
0 Helpful
29 Replies 29

archspangler
Level 1
Level 1
In response to Rahul Govindan

‎02-01-2017 09:04 AM

<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">
<ClientInitialization>
<UseStartBeforeLogon UserControllable="false">false</UseStartBeforeLogon>
<AutomaticCertSelection UserControllable="false">true</AutomaticCertSelection>
<ShowPreConnectMessage>false</ShowPreConnectMessage>
<CertificateStore>All</CertificateStore>
<CertificateStoreOverride>true</CertificateStoreOverride>
<ProxySettings>Native</ProxySettings>
<AllowLocalProxyConnections>false</AllowLocalProxyConnections>
<AuthenticationTimeout>20</AuthenticationTimeout>
<AutoConnectOnStart UserControllable="false">false</AutoConnectOnStart>
<MinimizeOnConnect UserControllable="false">true</MinimizeOnConnect>
<LocalLanAccess UserControllable="false">false</LocalLanAccess>
<DisableCaptivePortalDetection UserControllable="true">false</DisableCaptivePortalDetection>
<ClearSmartcardPin UserControllable="false">true</ClearSmartcardPin>
<IPProtocolSupport>IPv4,IPv6</IPProtocolSupport>
<AutoReconnect UserControllable="true">true
<AutoReconnectBehavior UserControllable="false">DisconnectOnSuspend</AutoReconnectBehavior>
</AutoReconnect>
<AutoUpdate UserControllable="false">true</AutoUpdate>
<RSASecurIDIntegration UserControllable="false">Automatic</RSASecurIDIntegration>
<WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement>
<WindowsVPNEstablishment>LocalUsersOnly</WindowsVPNEstablishment>
<AutomaticVPNPolicy>false</AutomaticVPNPolicy>
<PPPExclusion UserControllable="false">Disable
<PPPExclusionServerIP UserControllable="false"></PPPExclusionServerIP>
</PPPExclusion>
<EnableScripting UserControllable="false">false</EnableScripting>
<EnableAutomaticServerSelection UserControllable="false">false
<AutoServerSelectionImprovement>20</AutoServerSelectionImprovement>
<AutoServerSelectionSuspendTime>4</AutoServerSelectionSuspendTime>
</EnableAutomaticServerSelection>
<RetainVpnOnLogoff>true
<UserEnforcement>SameUserOnly</UserEnforcement>
</RetainVpnOnLogoff>
<AllowManualHostInput>true</AllowManualHostInput>
</ClientInitialization>

removed all ServerList stanzas

</AnyConnectProfile>

0 Helpful

Rahul Govindan
VIP Alumni
VIP Alumni
In response to archspangler

‎02-01-2017 10:09 AM

Your KU and EKU fields look correct. Your profile does not seen to have any custom certificate matching fields.

Few more things:

1) Check /Users/<username>/.anyconnect file. If there is a section for <ClientCertificateThumbprint> filled with a Thumbprint value, try removing this line from that file and testing. (Copy the original just in case).

2) Is your certificate have a SHA2 hash? Also, do you know what version your ASA headend is using?

I am surprised that only you are seeing this issue in your organization. Does everyone else (Windows) have the same Anyconnect version as you?

0 Helpful

archspangler
Level 1
Level 1
In response to Rahul Govindan

‎02-01-2017 11:13 AM

1. ClientCertificateThumbprint stanza is there but empty.

2. Signature Algorthim is sha512RSA.  Not sure of the version

3. Most are windows users, not Mac.

0 Helpful

Rahul Govindan
VIP Alumni
VIP Alumni
In response to archspangler

‎02-01-2017 11:29 AM

Thanks for that info. I check the release notes and I believe you are hitting the following bug with the ASA:

ASA 9.5.2 does not send CERT_REQ for 512-bit certificate

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuy30069

I believe the ASA sends a CERT_REQ to client to pick up a certificate certificate, but it does not have the right info to pick up a sha512 certificate. That's why the Anyconnect client does not detect it as a valid certificate as your certs are with SHA512 hash. I believe this should be fixed after an upgrade of the ASA version to a fixed release.

Hope this helps.

0 Helpful

Rahul Govindan
VIP Alumni
VIP Alumni
In response to Rahul Govindan

‎02-03-2017 05:46 AM

Another option I was thinking about to validate if this is the bug is to have a cert issued with a Sha256 hash. This way you would be able to determine if the bug CSCuy30069 is a valid match or not.

0 Helpful

archspangler
Level 1
Level 1
In response to archspangler

‎01-31-2017 12:42 PM

One thing I find interesting from the logs is: 

Cisco AnyConnect Secure Mobility Client[27750]: Function: getCertList File: ../../vpn/Api/ApiCert.cpp Line: 339 Number of certificates found: 4

Only 4 found?  Went I look in keychain for login types I see a lot more..  

It's almost like the Cisco Anyconnect VPN is looking at only the Apple Login Certificates signed be the Apple CA.  It's doesn't appear to be looking at my Company CA and Company User Certificates.

0 Helpful

Rahul Govindan
VIP Alumni
VIP Alumni
In response to archspangler

‎01-31-2017 12:50 PM

For client cert authentication, the OS is going to look for certs that have the EKU field set to Client authentication (or no EKU field which means all usages). so even though you have many certs, not all of them are used for purposes of client cert authentication. If you have a client certificate matching criterion in your client side xml profile, it bypasses this requirement and looks for certs based on that criterion.

0 Helpful

Philip D'Ath
VIP Alumni
VIP Alumni

‎01-31-2017 11:08 AM

Are you sure one of the certificates has not simply expired?

Has your machine definitely got the correct date and time on it?

0 Helpful

archspangler
Level 1
Level 1
In response to Philip D'Ath

‎01-31-2017 11:27 AM

I can see in my Keychain that both certificates are not expired.

I verified the time on my Mac is accurate as well.

0 Helpful

Farhan Mohamed
Cisco Employee
Cisco Employee

‎02-01-2017 12:15 PM

Please see the below discussion if it helps:-

https://supportforums.cisco.com/discussion/13215426/certificate-enrollment-failed#comments

0 Helpful

archspangler
Level 1
Level 1
In response to Farhan Mohamed

‎02-02-2017 12:52 PM

Not really any help.

0 Helpful

Farhan Mohamed
Cisco Employee
Cisco Employee
In response to archspangler

‎02-02-2017 01:12 PM

There are some issue with the current VPN incompatibility with the MAC OSX 10.1 and above. Keep waiting for the latest release. I will keep you posted. That should solve the problem!

(Do rate if useful)

0 Helpful

adamvanto
Level 1
Level 1

‎02-23-2018 08:03 AM

Any updates on this issue?  do Anyconnect able to finally read the certificate in the keychain yet?

0 Helpful

jessesanford
Level 1
Level 1

‎04-09-2018 08:05 AM

Anyone have any info on this? This seems to be exactly the problem I am having as well.

0 Helpful

Ryan Cresswell
Level 1
Level 1
In response to jessesanford

‎10-08-2018 09:58 AM

Having the same issue. When I try to connect it doesn't even attempt to make a connection. does a dns lookup and not even a syn packet to the asa. So it definitely a local issue.  I do get this msg in the event log.

 

 

Function: COpenSSLCertificate::VerifyKeyUsage
File: .\Certificates\OpenSSLCertificate.cpp
Line: 2137
Invoked Function: COpenSSLCertUtils::VerifyKeyUsage
Return Code: -31391723 (0xFE210015)
Description: CERTIFICATE_ERROR_VERIFY_KEYUSAGE_NOT_FOUND:No Key Usages were found in the certificate

0 Helpful
Customers Also Viewed These Support Documents