Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
111092
Views
5
Helpful
10
Replies

AnyConnect Mac OS X client certificate authentication

Shaun Michelson
Level 1
Level 1

‎11-18-2010 09:07 AM - edited ‎02-21-2020 04:58 PM

Hey guys, I'm trying to configure AnyConnect client on my Max OS X (version 10.6.4). I'm using certificates (issued by my Enterprise Root CA running AD Certificate Services) to authenticate my clients. However, when I try to connect to the VPN, I get "Certificate Validation Failure".

What I've done is exported my root certificate and user certificate from my Windows machine (which is able to authenticate successfully) and imported those certificates onto my Mac. The root certificate shows up as "Trusted" and the user certificate status reads "This certificate is valid". Both are being stored in my "login" keychain.

That's about it. Everything looks to be in order, so not sure what the problem is. I tried installing the certificates in the "System" keychain, but that fails (either nothing will happen, or I'll get an error message about insufficient access). This happens even after "unlocking" the System keychain.

Any thoughts?

1 person had this problem
Labels:
0 Helpful
10 Replies 10

Yudong Wu
Level 7
Level 7

‎11-18-2010 10:29 AM

1. Could you try to generate a CSR on Mac client and then use it to get a valid certificate from your CA server?

2. If you are using Safari, you might check the following link. You can capture the packet on Mac client to see if it sends the cert to ASA or not.

http://support.apple.com/kb/HT1679

0 Helpful

Shaun Michelson
Level 1
Level 1
In response to Yudong Wu

‎11-18-2010 01:44 PM

Thanks, I'm pretty sure the certificate is valid (The message in Keychain is "This certificate is valid"). I'm not using a web browser, I'm using the AnyConnect client - that's where I get my "Certificate Validation Error" message. I've attached some screenshots.

Preview file
96 KB
0 Helpful

Yudong Wu
Level 7
Level 7
In response to Shaun Michelson

‎11-18-2010 02:24 PM

I did not export/import a cert from win pc to mac and am not sure if it could work.

So, first, I would like to suggest you to generate a CSR on mac and then use it to get a cert for mac.

If you still get the same issue, it could be anyconnect issue.

You can check the log at "/var/log/system.log" to see if you could find anything.

The issue might be caused by anyconnect not being able to access cert store.


0 Helpful

Herbert Baerten
Cisco Employee
Cisco Employee

‎11-24-2010 01:20 PM

Hi Shaun,

as my colleague indicated, /var/log/system.log should hopefully give some indication as to what's wrong.

Now just to be sure: you did import the private key as well, right? I see a  private key present in the screenshot, just want to make sure it is one  that you imported along with the cert, not a key that just happens to  have the same name but is a leftover from another test.

In other  words, if you click Certificates in the Category pane in Keychain  Access, and then click the cert, does it show the private key as linked  to this cert?

As a possible workaround: if you have  Firefox installed then import the cert in  FF (Preferences -> Advanced -> Encryption -> View certificates  -> Import). You may have to remove the cert from the keychain to make this work.

A third option is to put the certificates and key in  in ~/.cisco/certificates (the issuer cert in subdirectory /ca, the client cert in /client, the private key in /client/private). CA cert and client cert need to have .pem extention, private key needs to have same filename as client cert but with .key instead of .pem. All 3 need to be in PEM format.

Definitely don't use the system keychain, anyconnect only looks in the login keychain (and the FF store, and the PEM file store).

hth

Herbert

Jesse Bertoli
Level 1
Level 1

‎12-22-2011 03:18 PM

I am seeing the same issue, if you edit the .anyconnect file and delete the line containing the client certificate it will then work.  I have an open case for a few months now that has not been resolved.  The above workaround will at least allow you to connect.

0 Helpful

gabriel.skupien.ccig
Level 1
Level 1
In response to Jesse Bertoli

‎02-07-2012 12:32 AM

I have exactly the same issue. Can you tell us bug ID that relates to your case?

0 Helpful

Herbert Baerten
Cisco Employee
Cisco Employee
In response to gabriel.skupien.ccig

‎02-07-2012 12:37 AM

CSCts80367    AnyConnect 3.0 for Mac gets "Certificate Validation Failure" w/ ASA 8.4

resolved in 8.4(3)

hth

Herbert

0 Helpful

gabriel.skupien.ccig
Level 1
Level 1
In response to Herbert Baerten

‎02-07-2012 12:50 AM

Thanks a lot Herbert,

It seems that there is still an issue with linux machines, 120 sec window doesn't help. The only way to connect again is to delete ~/.anyconnect file or at least remove the line containing the client certificate from it. Any idea?

0 Helpful

Jesse Bertoli
Level 1
Level 1
In response to gabriel.skupien.ccig

‎02-07-2012 07:54 AM

It is working for me on 8.4(3).

>>> "gabriel.skupien.ccig" 2/7/2012 1:51 AM >>>

Home ( https://supportforums.cisco.com/index.jspa )

Re: AnyConnect Mac OS X client certificate authentication

created by Gabriel Skupien ( https://supportforums.cisco.com/people/gabriel.skupien.ccig ) in VPN - View the full discussion ( https://supportforums.cisco.com/message/3554035#3554035 )

Thanks a lot Herbert,

It seems that there is still an issue with linux machines, 120 sec window doesn't help. The only way to connect again is to delete ~/.anyconnect file or at least remove the line containing the client certificate from it. Any idea?

Reply to this message by going to Home ( https://supportforums.cisco.com/message/3554035#3554035 )

Start a new discussion in VPN at Home ( https://supportforums.cisco.com/choose-container!input.jspa?contentType=1&containerType=14&container=2023 )

0 Helpful

Marius Gunnerud
VIP
VIP

‎10-16-2019 12:45 AM

If you are getting certificate error,

Screenshot 2019-10-16 at 09.42.11.png

 

navigate to /opt/cisco/anyconnect and change the value for ExcludeMacNativeCertStore to ture.  You will be met with be prompted with an untrusted certificate warning but will be allowed to continue and, if you want, install the certificate.

T840834-MAC:anyconnect mgunnerud$ sudo nano AnyConnectLocalPolicy.xml

<?xml version="1.0" encoding="UTF-8"?>

<AnyConnectLocalPolicy xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectLocalPolicy.xsd" acversion="4.6.02074">

<BypassDownloader>false</BypassDownloader>

<ExcludeFirefoxNSSCertStore>false</ExcludeFirefoxNSSCertStore>

<ExcludeMacNativeCertStore>true</ExcludeMacNativeCertStore>

<ExcludePemFileCertStore>false</ExcludePemFileCertStore>

<ExcludeWinNativeCertStore>false</ExcludeWinNativeCertStore>

<FipsMode>false</FipsMode>

<RestrictPreferenceCaching>false</RestrictPreferenceCaching>

<RestrictTunnelProtocols>false</RestrictTunnelProtocols>

<RestrictWebLaunch>false</RestrictWebLaunch>

<StrictCertificateTrust>false</StrictCertificateTrust>

<UpdatePolicy>

<AllowComplianceModuleUpdatesFromAnyServer>true</AllowComplianceModuleUpdatesFromAnyServer>

<AllowISEProfileUpdatesFromAnyServer>true</AllowISEProfileUpdatesFromAnyServer>

<AllowServiceProfileUpdatesFromAnyServer>true</AllowServiceProfileUpdatesFromAnyServer>

<AllowSoftwareUpdatesFromAnyServer>true</AllowSoftwareUpdatesFromAnyServer>

<AllowVPNProfileUpdatesFromAnyServer>true</AllowVPNProfileUpdatesFromAnyServer></UpdatePolicy>

</AnyConnectLocalPolicy>

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents