Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7642
Views
0
Helpful
2
Replies

Cisco Anyconnect on Apple iPhone error This connection requires a client Certificate

Go to solution
MathewKurian09214
Level 1
Level 1

‎10-09-2020 01:30 PM

We have an internal Certificate CA, configured to deploy certificates to our workstations so that only PC's with Certs can access our network. We then recently configured our ASA 5516 running Software Version 9.14(1)19 to do a Certificate check first before allowing a pc to connect. Ex. Pc starts AnyConnect app user clicks connects and then the ASA verifies that the pc has a cert and continues to prompt the user for id and password and complete authentication. This works great.


The issue we run into is with IOS devices. When an iPhone with the AnyConnect app tries to connect we get the message "This connection requires a client certificate, but no matching certificate is configured."


So we configured our MDM, Microsoft Intune to deploy a root certificate, and request a certificate for the iphone. We set intune to use a pfx connector to be the middle man. So when a device enrolls into the MDM, Intune goes to the PFX connector to request a cert from our CA, and then the CA issues it and the pfx connector passes it to Intune and down to the device as a MDM profile. Once deployed on the iPhone when you go to Settings>>General>>Device management>>Management Profile>>and go into the details of the profile you see under device identity certificate 2 certs issued by Intune MDM, and then under the heading for certificates you see several other certs including the cert that was issued to the iPhone from our Internal CA. Now when we attempt to use the AnyConnect app on the iPhone it still says "This connection requires a client certificate, but no matching certificate is configured." Has anyone run into an issue like this? I've been going in circles with Microsoft and Apple.

If we remove the certificate check from the ASA the iPhone connects fine, but that defeats the purpose of locking down what devices are able to connect remotely.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
MathewKurian09214
Level 1
Level 1

‎10-22-2020 06:08 AM

After months and months of working with various support Microsoft, Apple, and Cisco I finally figured it out.  From my previous troubleshooting with Cisco Tech, they mentioned that the mobile device needed an identity cert and that it should show under the iPhone’s certificate trust settings, and on the Cisco AnyConnect app under diagnostics>>Certificates.

While on a troubleshooting call with Microsoft I mentioned this and they said after setting up your MDM to deploy certificates to the mobile device that a profile for VPN would have to be deployed as well from the MDM (This would have been nice to know from the beginning).  So, depending on how you setup your certificate deployment through your MDM, in our case our MDM is Microsoft Intune. We configured Intune to deploy certificates using PKCS, also a test environment which deployed certs using SCEP as well.

After you have successfully configured your choice of certificate deployment and confirmed it's deployed to the device from Intune you also have to create a profile deployment for VPN.  So for me from Intune you go to Endpoint management>>Devices>>Configuration Profiles>>Create profile>>Select platform>>Ios/iPad>>>Select Profile that you want to deploy (ex..PKCS Certificate, Scep Certificate, VPN) Select VPN>>>Give a name for profile deployment>>>Under configuration Settings select connection type and select Cisco Anyconnect>>Under the heading for Base VPN enter your connection name(This is the description for your VPN connection ex...New York office VPN)>>>Enter FQDN for the VPN address (NYVPN.Contoso.com)>>>Then Under Authentication Method this is where you select Certificates and select the certificate profile that you created earlier for your certificate deployment in Intune. The rest of the setting can be left as default and click next and save.

So, what this last step does is, from your mobile device you need to have Cisco AnyConnect already installed on the phone. When you join your mobile device to your MDM the MDM pushes the profiles for your configuration and certificates.  This also pushes the VPN profile which tells the AnyConnect client which certificate to use to check.  

To confirm that the certificates shows in AnyConnect open the app and go to Diagnostics>>Certificates>>and you should see the certificate there from the profile deployment

View solution in original post

0 Helpful
2 Replies 2

Go to solution
MathewKurian09214
Level 1
Level 1

‎10-22-2020 06:08 AM

After months and months of working with various support Microsoft, Apple, and Cisco I finally figured it out.  From my previous troubleshooting with Cisco Tech, they mentioned that the mobile device needed an identity cert and that it should show under the iPhone’s certificate trust settings, and on the Cisco AnyConnect app under diagnostics>>Certificates.

While on a troubleshooting call with Microsoft I mentioned this and they said after setting up your MDM to deploy certificates to the mobile device that a profile for VPN would have to be deployed as well from the MDM (This would have been nice to know from the beginning).  So, depending on how you setup your certificate deployment through your MDM, in our case our MDM is Microsoft Intune. We configured Intune to deploy certificates using PKCS, also a test environment which deployed certs using SCEP as well.

After you have successfully configured your choice of certificate deployment and confirmed it's deployed to the device from Intune you also have to create a profile deployment for VPN.  So for me from Intune you go to Endpoint management>>Devices>>Configuration Profiles>>Create profile>>Select platform>>Ios/iPad>>>Select Profile that you want to deploy (ex..PKCS Certificate, Scep Certificate, VPN) Select VPN>>>Give a name for profile deployment>>>Under configuration Settings select connection type and select Cisco Anyconnect>>Under the heading for Base VPN enter your connection name(This is the description for your VPN connection ex...New York office VPN)>>>Enter FQDN for the VPN address (NYVPN.Contoso.com)>>>Then Under Authentication Method this is where you select Certificates and select the certificate profile that you created earlier for your certificate deployment in Intune. The rest of the setting can be left as default and click next and save.

So, what this last step does is, from your mobile device you need to have Cisco AnyConnect already installed on the phone. When you join your mobile device to your MDM the MDM pushes the profiles for your configuration and certificates.  This also pushes the VPN profile which tells the AnyConnect client which certificate to use to check.  

To confirm that the certificates shows in AnyConnect open the app and go to Diagnostics>>Certificates>>and you should see the certificate there from the profile deployment

0 Helpful

Go to solution
bhess5
Level 1
Level 1

‎02-03-2024 11:07 AM

It's about 3 years later but THANK YOU for coming back and updating this with the solution. I ran into a similar problem with the newer Cisco Secure Client mobile app and can confirm this still works

0 Helpful
Customers Also Viewed These Support Documents