07-06-2016 05:17 AM - edited 02-21-2020 08:53 PM
Hi all,
I have got a test ASA setup to authenticate Anyconnect on iOS devices using certificates (objective is to have an on-demand setup with zero user intervention).
While it works perfectily when the client is a Windows compiter running Anyconnect it doesnt when connecting from the last Anyconnect version for iOS.
Here is the error message I'm getting :
"This connection requires a client certificate, but no matching certificate is configured. Please modify the connection, choose a valid certificate and try again".
This is weird cause the same certificate was used for both the test from iOS and from Windows.
I do have the following options in the certificate :
- key usage : Digital Signature and Key Encipherment
- Extended key usage : Client Authentication
ASA version 9.4.2.11
iOS : 9.3.2
Anyconnect for iOS : 4.0.05038
For adding the client certificate to iOS I'have just emailed myself and installed the cert (pfx extension) which contains both the public and private keys.
Any idea ?
EDIT : Problem solved, see below
Solved! Go to Solution.
07-07-2016 02:34 AM
Hi Pete,
FYI I was able to fix the issue after turning on crypto debugs on ASA
Here is what put me on the right track :
%ASA-7-725014: SSL lib error. Function: SSL3_GET_CERT_VERIFY Reason: bad rsa signature
which took me to bug CSCut03981
Everything is working fine after using the workaround shown in https://supportforums.cisco.com/discussion/12886496/anyconnect-certificate-validation-failure
thanks again for your help
07-06-2016 07:31 AM
I've just tried from an Android device and got the same error message.
07-06-2016 09:22 AM
Please do the same from Android as well.
07-06-2016 09:21 AM
Please turn on debug logs and send us a diagnostic report to ac-mobile-feedback@cisco.com with this description. The DART needs to be sent immediately after this error message so that the logs don't wrap.
07-06-2016 09:42 AM
DART on iOS ? does it exist ?
problem is for mobile devices, it works fine on Windows !
07-06-2016 10:25 AM
We received your DART bundle from iOS, please send us the same from Android since the iOS logs were not very helpful to troubleshoot. We may need the head-end logs with some certificate debugging enabled for this one as well.
07-06-2016 10:26 AM
Also, can you please send us a screenshot of the cert details? (From windows is fine) Curious to see the KU/EKU as you mentioned, hashing algorithm, size, etc.
07-07-2016 02:34 AM
Hi Pete,
FYI I was able to fix the issue after turning on crypto debugs on ASA
Here is what put me on the right track :
%ASA-7-725014: SSL lib error. Function: SSL3_GET_CERT_VERIFY Reason: bad rsa signature
which took me to bug CSCut03981
Everything is working fine after using the workaround shown in https://supportforums.cisco.com/discussion/12886496/anyconnect-certificate-validation-failure
thanks again for your help
07-06-2016 09:48 AM
I could not find DART for iOS, at my known it exists only on windows.
I have sent the anyconnect for ios debug log to ac-mobile-feedback@cisco.com, could you confirm you got the debug logs ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide