cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
181
Views
0
Helpful
6
Replies
Highlighted
Beginner

Anyconnect Windows Certificate Store

Hi,

Does anyone have any experience of Anyconnect not being able to find a valid user certificate despite one being in the Microsoft User Store? 

The situation is we use EAP-FAST and multiple certificate authentication (MAchine and USer), Automatic and Always On VPN with fail open as the option.

Everything is ticking along happily for everyone, then randomly someone will call in with their device not being able to connect and Anyconnect errors with no valid user certificate.  They can't browse the internet to send us a DART as a result of authentication failure (Fail close).  The user and machine certificate is present on the machine still.

By deleting the certificate and enrolling for a new one, things start working again.

Things we have tried:

Rebooting the machine

Logging off

Network repair on Anyconnect

I've not yet managed to get a DART from a machine thats broken as usually someone replaces the certificate and its to late.  With everyone working remotely at the moment this problem is now exacerbated as we can't get the replacement on the machine as its securely locked down - we can do this in the office but we are not allowed to.

What causes this to happen?  Is it Microsoft certificate store corrupting or something else?  I can't see any obvious logs for the cause.

 

 

6 REPLIES 6
Highlighted
Beginner

Re: Anyconnect Windows Certificate Store

Forgot to add, certificate overide is enabled, and certificate matching with various fields. This will be working for the user quite happily and then one day it doesn't and we have to replace the user cert, and then it all works again.
Certificate has not expired nor been revoked either.
Highlighted
Collaborator

Re: Anyconnect Windows Certificate Store

Hi,

 

   If you also deployed NAM profiles with certificate matching, so not automatic selection, it looks like a bug on AnyConnect or Windows side. What AC version are you using? A DART file would clearly help a lot, otherwise without understanding what happens on the endpoint you're kind of left guessing.

 

Regards,

Cristian Matei.

Highlighted
Beginner

Re: Anyconnect Windows Certificate Store

HI, the majority of laptops are on 4.7.00136 which was a mistake, and we are in the process of getting people to 4.7.04056.  Anyone running either of those clients though does have the problem.  The laptops are running the equivalent Anyconnect NAM and Umbrella clients.

 

I agree a DART is needed, I'm struggling to get one as a machine gets locked down once its not working, and we are not allowed to take them into the office to get them on the LAN to grab it and resolve the intial certificate problem.

Highlighted
Collaborator

Re: Anyconnect Windows Certificate Store

Hi,

 

       In this case you got your answer, you would need to urgently upgrade AC. You could still do a DART on one of the PC's before upgrading, just for the fun of the engineer.

 

Regards,
Cristian Matei.

Highlighted
Beginner

Re: Anyconnect Windows Certificate Store

Are you saying 4.8 is what we should be using? any version of 4.7 is affected. I am speaking to tac today hopefully.
Highlighted
Collaborator

Re: Anyconnect Windows Certificate Store

Hi,

 

   I somehow misunderstood the with the newer version there are no problems. Post the DART file, this is the important missing part, insight on the endpoint, and open a TAC case.

 

Regards,

Cristian Matei.