07-06-2018 04:36 AM
I'm having a perplexing problem with certificate/AAA authentication on High Sierra. AnyConnect chooses the correct certificate, but appears to have problem accessing the private key. Sometimes. If I delete the ~/.anyconnect file and force quit AnyConnect, I am able to connect with certificate. If I then connect to a non-certificate connection, then reconnect to a certificate connection, I get certificate validation failures.
If I debug the connection on the head-end, when the failures occur, I never see the user certificate come into the ASA. The device certificate is presented as normal. When it works, i see the user certificate presented to the ASA. This tells me the AnyConnect/High Sierra combo is not getting past validating the key.
I will note, this is not a certificate selection issue. I do have <CertificateMatch> configured in the relevant profile. Dart logs show the correct certificate is chosen, then it all goes downhill.
I have a case with Tac, and we'll see how that goes.
Here is the relevent snippet from the dart log showing the failure progression:
2018-07-05 08:43:07.371657-0400 0x7cbe2 Default 0x0 77474 0 Cisco AnyConnect Secure Mobility Client: (libvpncommon.dylib) [com.cisco.anyconnect.vpn:acvpnui] Function: nextClientCert File: ../../vpn/Api/ConnectMgr.cpp Line: 6469 Subject Name: CN="xxxx, xxxx", emailAddress=xxxx@xxxx.com, OU=MULTI-ALLOWED Issuer Name : O="xxxxx, Inc.", CN="xxxxx. Standard Private CA - G2" Store : Mac Keychain User (this is the correct certificate)
2018-07-05 08:43:07.374003-0400 0x7cbe2 Error 0x0 77474 14 Cisco AnyConnect Secure Mobility Client: (libvpncommon.dylib) [com.cisco.anyconnect.vpn:acvpnui] Function: enumCertsFromExternalTokens File: ../../vpn/CommonCrypt/Certificates/MacCertStore.cpp Line: 322 SecItemCopyMatching returned no results (ret = -25300)
2018-07-05 08:43:07.381280-0400 0x7c2b8 Error 0x0 77309 14 vpnagentd: (libvpncommon.dylib) [com.cisco.anyconnect.vpn:acvpnagent] Function: GetCertThumbprintFailureResponse File: ../../vpn/Common/TLV/UserAuthenticationTlv.cpp Line: 1333 Invoked Function: UserAuthenticationTlv::getStatusCode Return Code: -32440304 (0xFE110010) Description: TLV_ERROR_NO_ATTRIBUTE
2018-07-05 08:43:07.381473-0400 0x7c2b8 Error 0x0 77309 14 vpnagentd: (libvpncommon.dylib) [com.cisco.anyconnect.vpn:acvpnagent] Function: getCertificateInfo File: ../../vpn/Common/TLV/UserAuthenticationTlv.cpp Line: 3522 Invoked Function: UserAuthenticationTlv::GetInfoByType Return Code: -32440304 (0xFE110010) Description: TLV_ERROR_NO_ATTRIBUTE
2018-07-05 08:43:07.382383-0400 0x7cbe2 Default 0x0 77474 0 Cisco AnyConnect Secure Mobility Client: (libvpncommon.dylib) [com.cisco.anyconnect.vpn:acvpnui] Function: SignHash File: ../../vpn/CommonCrypt/Certificates/MacCertificate.cpp Line: 1409 SecKeyCreateSignature failed: Error occurred. Domain: NSOSStatusErrorDomain Code: 0xffffffffffff9d33Description: The operation couldn’t be completed. (OSStatus error -25293 - CSSM Exception: -2147416032 CSSMERR_CSP_OPERATION_AUTH_DENIED)
2018-07-05 08:43:07.382387-0400 0x7cbe2 Error 0x0 77474 14 Cisco AnyConnect Secure Mobility Client: (libvpncommon.dylib) [com.cisco.anyconnect.vpn:acvpnui] Function: HashAndSignData File: ../../vpn/CommonCrypt/Certificates/Certificate.cpp Line: 281 Invoked Function: CCertificate::SignHash Return Code: -31391731 (0xFE21000D) Description: CERTIFICATE_ERROR_SIGN_FAILED
2018-07-05 08:43:07.382390-0400 0x7cbe2 Error 0x0 77474 14 Cisco AnyConnect Secure Mobility Client: (libvpncommon.dylib) [com.cisco.anyconnect.vpn:acvpnui] Function: HashAndSignData File: ../../vpn/Api/CertObj.cpp Line: 545 Invoked Function: CCertificate::SignHash Return Code: -31391731 (0xFE21000D) Description: CERTIFICATE_ERROR_SIGN_FAILED
2018-07-05 08:43:07.382392-0400 0x7cbe2 Error 0x0 77474 14 Cisco AnyConnect Secure Mobility Client: (libvpncommon.dylib) [com.cisco.anyconnect.vpn:acvpnui] Function: handleCertSigningRequest File: ../../vpn/Api/ConnectMgr.cpp Line: 13376 Invoked Function: CertObj::HashAndSignData Return Code: -31391731 (0xFE21000D) Description: CERTIFICATE_ERROR_SIGN_FAILED
2018-07-05 08:43:07.382564-0400 0x7c2b8 Error 0x0 77309 14 vpnagentd: (libvpncommon.dylib) [com.cisco.anyconnect.vpn:acvpnagent] Function: SignDataCB File: ../../vpn/IPsec/EAPMgr.cpp Line: 773 Invoked Function: CCertIKEAdapter::SignData Return Code: -31391731 (0xFE21000D) Description: CERTIFICATE_ERROR_SIGN_FAILED
2018-07-05 08:43:07.394964-0400 0x7cbe2 Default 0x0 77474 0 Cisco AnyConnect Secure Mobility Client: (libvpncommon.dylib) [com.cisco.anyconnect.vpn:acvpnui] Function: processResponseStringFromSG File: ../../vpn/Api/ConnectMgr.cpp Line: 11991 Client certificate requested by peer (via AggAuth)
2018-07-05 08:43:07.395350-0400 0x7c2b8 Error 0x0 77309 14 vpnagentd: (libvpncommon.dylib) [com.cisco.anyconnect.vpn:acvpnagent] Function: getCertificateInfo File: ../../vpn/Common/TLV/UserAuthenticationTlv.cpp Line: 3522 Invoked Function: UserAuthenticationTlv::GetInfoByType Return Code: -32440304 (0xFE110010) Description: TLV_ERROR_NO_ATTRIBUTE
2018-07-05 08:43:07.395356-0400 0x7c2b8 Error 0x0 77309 14 vpnagentd: (libvpncommon.dylib) [com.cisco.anyconnect.vpn:acvpnagent] Function: getAggAuthCertificateInfo File: ../../vpn/Common/TLV/UserAuthenticationTlv.cpp Line: 3837 Invoked Function: UserAuthenticationTlv::GetInfoByType Return Code: -32440304 (0xFE110010) Description: TLV_ERROR_NO_ATTRIBUTE
2018-07-05 08:43:07.404455-0400 0x7cbe2 Default 0x0 77474 0 Cisco AnyConnect Secure Mobility Client: (libvpncommon.dylib) [com.cisco.anyconnect.vpn:acvpnui] The following error message was received from the secure gateway: Certificate Validation Failure
Solved! Go to Solution.
07-24-2018 05:39 AM
This problem was a direct result of CSCvi49604. Fixed by reverting to hostscan 4.6.00362.
07-24-2018 05:39 AM
This problem was a direct result of CSCvi49604. Fixed by reverting to hostscan 4.6.00362.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide