01-28-2011 06:15 PM - edited 02-21-2020 05:07 PM
Hi,
Running AnyConnect(latest version) on Apple iOS devices, mainly iPod Touch, running iOS 4.2.1.
Connecting to an ASA 5510 running 8.3(1).
Have issued a certificate to the ASA and iPod Touch from our Windows 2008 R2 CA.
When setting an AnyConnect connection(on the iPod) to use Certificates, the following error is shown:
The connection requires a client certificate but no matching certificates is configured.
Please modify this connection, choose a valid certificate and try again.
Has anyone else seen or have resolved this issue?
Thanks
01-31-2011 08:51 PM
Hello Shaun,
I faced the same issue and i was missing the certificate on the iPhone/iTouch. Please install the cert on the iPhone/iTouch and configure the anyconnect client to use certs. Below is the link to configure
--
Gino.
-- Please rate the solutions.
01-31-2011 08:57 PM
Hi Gino,
I do have a certificate on the iPod Touch---AnyConnect does see the certificate and it is selected.
I followed the guide found from this site:
http://blogs.technet.com/b/askds/archive/2010/11/22/ipad-iphone-certificate-issuance.aspx
However, I still receive the following error:
The connection requires a client certificate but no matching certificates is configured.
Please modify this connection, choose a valid certificate and try again.
Thanks.
01-31-2011 09:54 PM
Hey Shaun,
1. I see that you are using an IPSec certificate template, while you should be using a SSL certificate template.
2. I still am sceptical if you actually installed the certs. Did u import the certificates into the device through the iPhone configuration utility > credentials in connection profiles ?
3. Is your requirement, "using certificates for authentication" or "using client side cert authentication, in addition to server authentication" ?
--
Gino
02-01-2011 07:02 AM
Hi Gino,
Lets resolve some of your "skepticism" regarding this "discussion topic".
I mentioned I followed the guide from here:
http://blogs.technet.com/b/askds/archive/2010/11/22/ipad-iphone-certificate-issuance.aspx
Which, not sure if you had a chance to look at it, but does instruct to use the iPhone config utility to request a cert using SCEP. Which I have done, on the device(the iPod Touch).
Our CA shows the certificate being requested and issued for the device, the same for our ASA.
And on the ASA I've told it to use "Configuring Certificate-only Authentication" on our AnyConnect Profile. As found in the following guide here:
I connect fine to the ASA using another authentication method(from another AnyConnect Profile and from the iPod Touch), for example AAA.
However once I tell the end device(the iPod Touch) to use certificates, as outlined in the following guide:
I receive the following error:
The connection requires a client certificate but no matching certificates is configured.
Please modify this connection, choose a valid certificate and try again.
You mentioned receiving this error, was it the exact same error?
Regards.
07-06-2016 06:32 AM
I have this problem too, see https://supportforums.cisco.com/discussion/13067141/anyconnect-ios-authenticating-asa-certificate#comment-11472186
02-14-2011 12:20 PM
Hi Gino,
I've switched to using the ASA as a local CA to test thing out and to move a little forward with this project.
To answer your questions:
1. I see that you are using an IPSec certificate template, while you should be using a SSL certificate template.
I don't see the SSL Certificate Template under Win 2008, but I do see a "Workstation Authentication", would this work?
2. I still am sceptical if you actually installed the certs. Did u import the certificates into the device through the iPhone configuration utility > credentials in connection profiles ?
Yeah, I used the iPhone Configu utilty.
3. Is your requirement, "using certificates for authentication" or "using client side cert authentication, in addition to server authentication" ?
Not sure what the "best practice" would be, any guides or docs on this?
Thanks.
02-15-2011 12:29 PM
Got it figured out ... I had the certs messed up .. once I removed all certs and rebuilt everything. Working like a charm.
I placed a Web server cert on the ASA and used a Client cert on the Apple device. Works perfectly now.
Thanks.
05-06-2011 12:50 PM
Hi Shaun, I have a client with a similar issue. Which certificates you removed? The ones installed on the ASA or the ones you created on the CA and the ones installed on the ASA?
My customer can connect without certificates but as soon as we try using certs he received errors and never connects. He has a cert installed on the iphone and those certs are installed on the ASA.
Is that the right thing?
05-26-2011 11:13 AM
Hey,
On my issues I just had the certs being issued from the Win CA incorrect, I had to issue the "Web Server" cert to the ASA, then a "Client" cert to the Apple iOS device. Once I had that all "right" .. everything worked like a charm.
Each time you change the cert being issued from NDES, I changed the registry to match(I just made copies of the Cert profiles instead of touching the original) then deploye each out.
Let me know if this helps.
(Sorry about the "huge" delayed repsonse, been swamped. )
-Shaun
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide