Cisco AnyConnect - removing Certificate Blocked Error Dialog

liambreathnach · ‎08-29-2012

Hi, I have a question regardging Cisco Anyconnect Secure Mobility Client, version 3.1.00495. Installed on W7 Enterprise 32-bit.

It's working fine, but I notice when I first use it I am prompted by "Certificate Blocked Error Dialog", visible on this link as Figure 3.

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect31/release/notes/anyconnect31rn.html

The dialog box says "Untrusted VPN Server!" with the option to "Change Setting" or "Keep Me Safe". If you click Change Setting you can then uncheck "Block connections to untrusted servers" etc and connect then. Once the connection is successful you are not prompted again about this.

I am wondering if I'm deploying this software to many users, how can avoid this pop-up from appearing from for them all, to make the process as seamless as possible? Is there something I can do to pre-stage these settings somewhere? etc?

Thanks in advance?

Karsten Iwen · ‎08-29-2012

The best way is to deploy a public certificate on the ASA (there are also ones that don't cost anything) and then add the strict certificate trust in the local policy:

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect31/release/notes/anyconnect31rn.html#wp998439

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Qousai Edelbi · ‎10-18-2012

On the ASA,
1. Anyconnect Client profile

2. Edit Anyconnect_Group profile

3. Edit Server list

4. Add or Edit the hostname

5. Host display: Remote.exmaple.com and FQDN: Remote.example.com

your cert that you applied for the interface must match the URL otherwise it won't work

Let me know

Nicola Volpini · ‎11-09-2012

Hi,

same bad discovery here. We're using self-signed certs and even importing them in the client did not prevent the nasty window to appear.

Is this a warning which appears as long as you're not using a third-party validated cert or is there a way to disable the warning even when using self-signed certs?

Thanks

Cristian Iconaru · ‎11-28-2012

Hi Nicola,

have you found a way to remove the warning?

where is Anyconnect searching for the certs?

Thanks.

Javier Portuguez · ‎11-28-2012

Cristian,

As mentioned before you need to make sure that CN value in the certificate matches the DNS name of the ASA as well (othewise the client will not consider as trusted), once you are done with this, install the ASA certificate on the client machine and that should fix the problem.

However the best practice is to get a valid certificate from a known Certificate Authority.

HTH.

Portu.

Please rate any helpful posts

Karsten Iwen · ‎11-28-2012

Hi Portu,

even if the CN matches the DNS-name, if the cert is self-signed it is rejected by the actual AnyConnect-Client. The Client-behavior changed somehere at version 3.1.

I'm also still searching for a solution for the rare situation where a self-signed certificate has to be used.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Javier Portuguez · ‎11-28-2012

I agree Karsten , I actually helped Cristian with that issue on:

https://supportforums.cisco.com/message/3794109#3794109

However, I think his certificate does not include the correct CN value (same as DNS). This in conjunction with the correct certificate match should work, however I have not fully tested it yet.

Thanks.

Portu.

Cristian Iconaru · ‎11-29-2012

Hi Portu,

I've just tried, the connection works but the warning keeps coming.

- CN=abc.example.com

- DNS - abc.example.com resolves to ASA_IP

- CN matches the DNS

- Certificate was installed on client PC

Where does the Anyconnect search/check for the certs?

Thanks.

Theofilos Tzachristas · ‎06-06-2015

Hello Javier,

It has been almost three years since that post, but your answer really helped me on my Home Lab. I followed your steps and I got that warning, once you check the Option "Import the Certificate" you never get it again.

Thank you for your help,

Theo

Nicola Volpini · ‎11-29-2012

Hi Cristian,

unfortunately not. I suspended the attempts due to some other tasks. I guess this is something I'll have to start working on again; we can't stick with 3.0 forever.
Regarding the various suggestions of having a third-party cert and not a self signed cert: I agree it's the best solution but still, this warning is too aggressive. I'm pretty sure we're not the only ones using self signed certs.

Cristian Iconaru · ‎11-30-2012

Hi Nicola,

I tried with a trial cert from Thawte but the warning keeps coming.

isn't it strange?

any idea?

Thanks.

Javier Portuguez · ‎11-30-2012

Cristian,

Usually those are not known certificates since they have a trial flag.

You need to obtain a real certificate. The positive side of the coin is that you already know how to install it.

Just to make sure, could you please attach the identity certificate?

Thanks.

Portu.

Please rate any helpful posts

Cristian Iconaru · ‎11-30-2012

Hi Portu,

what exactly would you like to see in the cert?

Thanks.

Javier Portuguez · ‎11-30-2012

I would like to see the "Issued by" in the Root certificate.

Thanks.