Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1056
Views
0
Helpful
0
Replies

Certificate Validation Failure after AnyConnect Upgrade

nkd2400
Level 1
Level 1

‎01-30-2021 04:08 PM - edited ‎01-31-2021 10:56 AM

We have a Cisco ASA 5516-X (software version 9.8(4)32) which has AnyConnect configured using AAA + Certificate authentication. The certificates we are using are an external Entrust PKI solution which utilizes SmartCards.

We recently upgraded our Cisco AnyConnect version 4.9.00086 to 4.9.05042 to address some recent vulnerabilities which we were concerned about. All the test machines I deployed the new version to worked fine. After the upgrade, approximately 25% of our users encountered an issue where they would get the Certificate Validation Failure message when trying to authenticate with the VPN. They would get the prompt to authenticate their SmartCard (with a password) and then once that was done they'd immediately get a message saying Certificate Validation Failure.

This did not happen to all users, and most were able to get the upgraded version downloaded, installed, and working fine for them. We did see that almost all of our MS Surface Pro's had this issue, whereas the rest of our laptops were mostly fine. All users only have user access to their devices, and AnyConnect seems to upgrade fine for all. It seems to be post-upgrade that some are having this issue. I have confirmed it is an issue on the client machine and not the user' certificates. Also, reverting back to the old version of Cisco AnyConnect on the ASA (where the client machine keeps the newer version) still causes this issue.

I was able to replicate this issue on some machines, and after installing the DART tools, I can see that where it is failing is finding the appropriate Key Usage (KU) and Extended Key Usage (EKU) values. When I look at the KU field, I see Digital Signature, and when I look at the EKU field I see Client Authentication, Smart Card Logon, and Any Purpose. As I said, nothing has changed on the SmartCard side, and as soon as we re-install the AnyConnect software to the older version, everything works again.

Any idea what is going on here?

Update: After digging into it further, it seems like the issue was a compatibility or bug with the SafeNet Authentication Client (middleware software for the SmartCards) and the newer versions of Cisco AnyConnect. 

Upgrading the SafeNet software to a newer version has seemed to fix the issue moving forward.
Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents