Hi Gino,

I do have a certificate on the iPod Touch---AnyConnect does see the certificate and it is selected.

I followed the guide found from this site:

http://blogs.technet.com/b/askds/archive/2010/11/22/ipad-iphone-certificate-issuance.aspx

However, I still receive the following error:

The connection requires a client certificate but no matching certificates is configured.

Please modify this connection, choose a valid certificate and try again.

Thanks.

Hey Shaun,

1. I see that you are using an IPSec certificate template, while you should be using a SSL certificate template.

2. I still am sceptical if you actually installed the certs. Did u import the certificates into the device through the iPhone configuration utility > credentials in connection profiles ?

3. Is your requirement, "using certificates for authentication" or "using client side cert authentication, in addition to server authentication" ?

--

Gino

Hi Gino,

Lets resolve some of your "skepticism" regarding this "discussion topic". 

I mentioned I followed the guide from here:

http://blogs.technet.com/b/askds/archive/2010/11/22/ipad-iphone-certificate-issuance.aspx

Which, not sure if you had a chance to look at it, but does instruct to use the iPhone config utility to request a cert using SCEP. Which I have done, on the device(the iPod Touch). 

Our CA shows the certificate being requested and issued for the device, the same for our ASA.

And on the ASA I've told it to use "Configuring Certificate-only Authentication" on our AnyConnect Profile. As found in the following guide here:

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect20/administrative/guide/admin6.html#wp1010958

I connect fine to the ASA using another authentication method(from another AnyConnect Profile and from the iPod Touch), for example AAA.

However once I tell the end device(the iPod Touch) to use certificates, as outlined in the following guide:

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect24/iphone-user/guide/iphone-anyconnect-ug-24.html#wp49157

I receive the following error:

The connection requires a client certificate but no matching certificates is configured.

Please modify this connection, choose a valid certificate and try again.

You mentioned receiving this error, was it the exact same error?

Regards.

I have this problem too, see https://supportforums.cisco.com/discussion/13067141/anyconnect-ios-authenticating-asa-certificate#comment-11472186

Hi Gino,

I've switched to using the ASA as a local CA to test thing out and to move a little forward with this project.

To answer your questions:

1. I see that you are using an IPSec certificate template, while you should be using a SSL certificate template.

I don't see the SSL Certificate Template under Win 2008, but I do see a "Workstation Authentication", would this work?

2. I still am sceptical if you actually installed the certs. Did u import the certificates into the device through the iPhone configuration utility > credentials in connection profiles ?

Yeah, I used the iPhone Configu utilty.

3. Is your requirement, "using certificates for authentication" or "using client side cert authentication, in addition to server authentication" ?

Not sure what the "best practice" would be, any guides or docs on this?

Thanks.

Hi Shaun, I have a client with a similar issue. Which certificates you removed? The ones installed on the ASA or the ones you created on the CA and the ones installed on the ASA?

My customer can connect without certificates but as soon as we try using certs he received errors and never connects. He has a cert installed on the iphone and those certs are installed on the ASA.

Is that the right thing?

Hey,