Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
911
Views
2
Helpful
8
Replies

Anyconnect VPN Certificate Authentication

andre.ortega
Enthusiast
Enthusiast

‎08-01-2023 10:18 AM - edited ‎08-01-2023 10:19 AM

Hello,
I configured a RA VPN to authenticate using certificate.
On FTD I installed the my root CA certificate, the identity certificate signed by this CA, and for computer I also generated and install a certificate (template = workstation, the same I use to authenticate on LAN - ISE).

Now, trying to connect to VPN I am receiving the error "Certificate Validation Failure" on Anyconnect. On FTD I see "pki_is_policy_match: policy CA-Corp rejected (usage: 640). conn_type 32 not allowed".

What could be causing this?

More logs:


SSL verify callback: Key exchange algorithm extracted from SSL Cipher
PKI[13]: CERT_Open, vpn3k_cert_api.c:196
PKI[8]: PKI session 0x015ec9e9 open Successful with type SSL
PKI[13]: CERT_SetKeyExchangeAlg, vpn3k_cert_api.c:896
PKI[13]: CERT_Authenticate, vpn3k_cert_api.c:566
PKI[8]: Authenticate session 0x015ec9e9, non-blocking cb=0x0000559ee0a47e30
PKI[13]: CERT_API_req_enqueue, vpn3k_cert_api.c:2630
PKI[9]: CERT API thread wakes up!
PKI[12]: CERT_API_Q_Process, vpn3k_cert_api.c:2528
PKI[12]: CERT_API_process_req_msg, vpn3k_cert_api.c:2463
PKI[8]: process msg cmd=0, session=0x015ec9e9
PKI[9]: Async locked for session 0x015ec9e9
PKI[12]: pki_ossl_verify_chain_of_certs, pki_ossl_validate.c:1048
PKI[7]: Begin cert chain validation for session 0x015ec9e9
PKI[12]: pki_ossl_find_valid_chain, pki_ossl_validate.c:441
PKI[8]: Begin sorted cert chain
PKI[14]: pki_ossl_get_cert_summary, pki_ossl.c:118
PKI[8]: ---------Certificate--------:
Serial Number:
16:cb:75:61:a0:23:45:9c:4a:99:3b:11:82:bb:ac:90
Issuer: DC=br, DC=com, DC=mycompany, CN=CA-MyCompany
Subject: DC=br, DC=com, DC=mycompany, CN=CA-MyCompany

PKI[14]: pki_ossl_get_cert_summary, pki_ossl.c:118
PKI[8]: ---------Certificate--------:
Serial Number:
56:00:00:00:21:d9:63:82:33:cf:71:71:17:00:00:00:00:00:21
Issuer: DC=br, DC=com, DC=mycompany, CN=CA-MyCompany
Subject: DC=br, DC=com, DC=mycompany, OU=mycompany STI, OU=Computers, OU=TesteAutent, CN=HQNB316

PKI[8]: End sorted cert chain
PKI[13]: pki_ossl_get_store, pki_ossl_certstore.c:61
PKI[12]: pki_ossl_rebuild_ca_store, pki_ossl_certstore.c:194
PKI[13]: crypto_pki_get_ossl_env, pki_ossl.c:41
PKI[13]: crypto_pki_get_ossl_env, pki_ossl.c:41
PKI[14]: pki_ossl_get_cert_summary, pki_ossl.c:118
PKI[7]: Cert to verify
PKI[7]: ---------Certificate--------:
Serial Number:
56:00:00:00:21:d9:63:82:33:cf:71:71:17:00:00:00:00:00:21
Issuer: DC=br, DC=com, DC=mycompany, CN=CA-MyCompany
Subject: DC=br, DC=com, DC=mycompany, OU=mycompany STI, OU=Computers, OU=TesteAutent, CN=HQNB316

PKI[12]: pki_verify_cb, pki_ossl_validate.c:344
PKI[8]: val status=1: cert subject: /DC=br/DC=com/DC=mycompany/CN=CA-MyCompany. ctx->error: (0)ok, cert_idx: 1
PKI[12]: pki_verify_cb, pki_ossl_validate.c:344
PKI[8]: val status=1: cert subject: /DC=br/DC=com/DC=mycompany/OU=mycompany STI/OU=Computers/OU=TesteAutent/CN=HQNB316. ctx->error: (0)ok, cert_idx: 0
PKI[8]: pki_ossl_find_valid_chain took 467 microsecs
PKI[6]: Verified chain:
PKI[14]: pki_ossl_get_cert_summary, pki_ossl.c:118
PKI[6]: ---------Certificate--------:
Serial Number:
56:00:00:00:21:d9:63:82:33:cf:71:71:17:00:00:00:00:00:21
Issuer: DC=br, DC=com, DC=mycompany, CN=CA-MyCompany
Subject: DC=br, DC=com, DC=mycompany, OU=mycompany STI, OU=Computers, OU=TesteAutent, CN=HQNB316

PKI[14]: pki_ossl_get_cert_summary, pki_ossl.c:118
PKI[6]: ---------Certificate--------:
Serial Number:
16:cb:75:61:a0:23:45:9c:4a:99:3b:11:82:bb:ac:90
Issuer: DC=br, DC=com, DC=mycompany, CN=CA-MyCompany
Subject: DC=br, DC=com, DC=mycompany, CN=CA-MyCompany

PKI[13]: pki_ossl_policy_select, pki_ossl_policy.c:545
PKI[9]: Policy search for cert 0
PKI[13]: pki_policy_iterate, pki_ossl_policy.c:222
PKI[13]: get_policy_list, pki_ossl_policy.c:105
PKI[13]: crypto_pki_get_ossl_env, pki_ossl.c:41
PKI[13]: pki_is_policy_match, pki_ossl_policy.c:348
PKI[9]: Evaluating policy CA-MyCompany for conn type 0x20
PKI[9]: pki_is_policy_match: policy CA-Corp rejected (usage: 640). conn_type 32 not allowed
PKI[13]: pki_is_policy_match, pki_ossl_policy.c:348
PKI[9]: Evaluating policy Trustpool for conn type 0x20
PKI[13]: finger_print_nonzero, pki_ossl_policy.c:72
PKI[9]: pki_is_policy_match: policy Trustpool rejected. Cert match required
PKI[9]: Policy search for cert 1
PKI[13]: pki_policy_iterate, pki_ossl_policy.c:222
PKI[13]: get_policy_list, pki_ossl_policy.c:105
PKI[13]: crypto_pki_get_ossl_env, pki_ossl.c:41
PKI[13]: pki_is_policy_match, pki_ossl_policy.c:348
PKI[9]: Evaluating policy CA-MyCompany for conn type 0x20
PKI[9]: pki_is_policy_match: policy CA-MyCompany rejected (usage: 640). conn_type 32 not allowed
PKI[13]: pki_is_policy_match, pki_ossl_policy.c:348
PKI[9]: Evaluating policy Trustpool for conn type 0x20
PKI[13]: finger_print_nonzero, pki_ossl_policy.c:72
PKI[9]: pki_is_policy_match: policy Trustpool rejected. Cert match required
PKI[4]: Unable to find policy
PKI[12]: pki_ossl_do_callback, pki_ossl_validate.c:160
PKI[13]: CERT_Close, vpn3k_cert_api.c:284
PKI[8]: Close session 0x015ec9e9 asynchronously
PKI[13]: CERT_API_req_enqueue, vpn3k_cert_api.c:2630
PKI[9]: Async unlocked for session 0x015ec9e9
PKI[12]: CERT_API_Q_Process, vpn3k_cert_api.c:2528
PKI[12]: CERT_API_process_req_msg, vpn3k_cert_api.c:2463
PKI[8]: process msg cmd=1, session=0x015ec9e9
PKI[9]: Async locked for session 0x015ec9e9
PKI[9]: Async unlocked for session 0x015ec9e9
PKI[13]: pki_ossl_free_valctx, pki_ossl_validate.c:247
PKI[9]: CERT API thread sleeps!

CERTIFICATES ON FTD:

Certificate
Status: Available
Certificate Serial Number: 56000000170f1073b1715941ab000000000017
Certificate Usage: General Purpose
Public Key Type: RSA (2048 bits)
Signature Algorithm: SHA256 with RSA Encryption
Issuer Name:
cn=CA-MyCompany
dc=mycompany
dc=com
dc=br
Subject Name:
cn=ssl.mycompany.com.br
ou=TI
o=mycompany
l=Sao Paulo
st=SP
c=BR
CRL Distribution Points:
[1] ldap:///CN=CA-MyCompany,CN=AHQDC02,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=mycompany,DC=com,DC=br?certificateRevocationList?base?objectClass=cRLDistributionPoint
Validity Date:
start date: 19:03:00 UTC Apr 27 2022
end date: 19:03:00 UTC Apr 26 2024
Storage: config
Associated Trustpoints: CA-MyCompany

CA Certificate
Status: Available
Certificate Serial Number: 16cb7561a023459c4a993b1182bbac90
Certificate Usage: Signature
Public Key Type: RSA (2048 bits)
Signature Algorithm: SHA256 with RSA Encryption
Issuer Name:
cn=CA-MyCompany
dc=mycompany
dc=com
dc=br
Subject Name:
cn=CA-MyCompany
dc=mycompany
dc=com
dc=br
Validity Date:
start date: 17:01:17 UTC Jan 9 2020
end date: 17:11:16 UTC Jan 9 2035
Storage: config
Associated Trustpoints: CA-MyCompany

 

Labels:
8 Replies 8

JP Miranda Z
Cisco Employee
Cisco Employee