cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
21961
Views
0
Helpful
9
Replies
Highlighted
Enthusiast

AnyConnect using Certificate Authentication on Apple iOS devices with Windows 2008 R2 CA

Hi,

Running AnyConnect(latest version) on Apple iOS devices, mainly iPod Touch, running iOS 4.2.1.

Connecting to an ASA 5510 running 8.3(1).

Have issued a certificate to the ASA and iPod Touch from our Windows 2008 R2 CA.

When setting an AnyConnect connection(on the iPod) to use Certificates, the following error is shown:

The connection requires a client certificate but no matching certificates is configured.

Please modify this connection, choose a valid certificate and try again.

Has anyone else seen or have resolved this issue?

Thanks

9 REPLIES 9
Highlighted
Beginner

Hello Shaun,

I faced the same issue and i was missing the certificate on the iPhone/iTouch. Please install the cert on the iPhone/iTouch and configure the anyconnect client to use certs. Below is the link to configure

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect24/ios4.2-user/guide/iphone-ugac-ios4.2.html#wp113765

--

Gino.

-- Please rate the solutions.

Highlighted

Hi Gino,

I do have a certificate on the iPod Touch---AnyConnect does see the certificate and it is selected.

I followed the guide found from this site:

http://blogs.technet.com/b/askds/archive/2010/11/22/ipad-iphone-certificate-issuance.aspx

However, I still receive the following error:

The connection requires a client certificate but no matching certificates is configured.

Please modify this connection, choose a valid certificate and try again.

Thanks.

Highlighted

Hey Shaun,

1. I see that you are using an IPSec certificate template, while you should be using a SSL certificate template.

2. I still am sceptical if you actually installed the certs. Did u import the certificates into the device through the iPhone configuration utility > credentials in connection profiles ?

3. Is your requirement, "using certificates for authentication" or "using client side cert authentication, in addition to server authentication" ?

--

Gino

Highlighted

Hi Gino,

Lets resolve some of your "skepticism" regarding this "discussion topic". 

I mentioned I followed the guide from here:

http://blogs.technet.com/b/askds/archive/2010/11/22/ipad-iphone-certificate-issuance.aspx

Which, not sure if you had a chance to look at it, but does instruct to use the iPhone config utility to request a cert using SCEP. Which I have done, on the device(the iPod Touch). 

Our CA shows the certificate being requested and issued for the device, the same for our ASA.

And on the ASA I've told it to use "Configuring Certificate-only Authentication" on our AnyConnect Profile. As found in the following guide here:

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect20/administrative/guide/admin6.html#wp1010958

I connect fine to the ASA using another authentication method(from another AnyConnect Profile and from the iPod Touch), for example AAA.

However once I tell the end device(the iPod Touch) to use certificates, as outlined in the following guide:

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect24/iphone-user/guide/iphone-anyconnect-ug-24.html#wp49157

I receive the following error:

The connection requires a client certificate but no matching certificates is configured.

Please modify this connection, choose a valid certificate and try again.

You mentioned receiving this error, was it the exact same error?

Regards.

Highlighted

I have this problem too, see https://supportforums.cisco.com/discussion/13067141/anyconnect-ios-authenticating-asa-certificate#comment-11472186

Highlighted

Hi Gino,

I've switched to using the ASA as a local CA to test thing out and to move a little forward with this project.

To answer your questions:

1. I see that you are using an IPSec certificate template, while you should be using a SSL certificate template.

I don't see the SSL Certificate Template under Win 2008, but I do see a "Workstation Authentication", would this work?

2. I still am sceptical if you actually installed the certs. Did u import the certificates into the device through the iPhone configuration utility > credentials in connection profiles ?

Yeah, I used the iPhone Configu utilty.

3. Is your requirement, "using certificates for authentication" or "using client side cert authentication, in addition to server authentication" ?

Not sure what the "best practice" would be, any guides or docs on this?

Thanks.

Highlighted
Enthusiast

Got it figured out ... I had the certs messed up .. once I removed all certs and rebuilt everything. Working like a charm.

I placed a Web server cert on the ASA and used a Client cert on the Apple device. Works perfectly now.

Thanks.

Highlighted

Hi Shaun, I have a client with a similar issue. Which certificates you removed? The ones installed on the ASA or the ones you created on the CA and the ones installed on the ASA?

My customer can connect without certificates but as soon as we try using certs he received errors and never connects. He has a cert installed on the iphone and those certs are installed on the ASA.

Is that the right thing?

Highlighted

Hey,

On my issues I just had the certs being issued from the Win CA incorrect, I had to issue the "Web Server" cert to the ASA, then a "Client" cert to the Apple iOS device.  Once I had that all "right" .. everything worked like a charm. 

Each time you change the cert being issued from NDES, I changed the registry to match(I just made copies of the Cert profiles instead of touching the original)  then deploye each out.

Let me know if this helps.

(Sorry about the "huge" delayed repsonse, been swamped. )

-Shaun

Content for Community-Ad