cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6319
Views
5
Helpful
8
Replies

New AnyConnect iOS App - Certificate Auth Failing

Allynl
Level 1
Level 1

Hi guys, 

 

I'm looking for some help please. 

 

We have used the legacy AnyConnect App for iOS for a long time (before it was legacy) and we have used Certificate Authentication very happily. 

 

We are now looking to move the current AnyConnect app, for iOS 12 etc. but we cannot get cert auth to work at all, even though it's the same cert for both apps. 

 

The cert and VPN profile are pushed to the devices via an MDM solution and the devices are receiving the profile and the cert just fine. Both the legacy and new AnyConnect app can see the authentication cert fine as well. 

 

Whenever we try to connect using the new AnyConnect app we receive the message:

 

This connection requires a client certificate, but no matching certificate could be found. Please modify the connection, choose a valid certificate or automatic certificate selection, and try again.

 

Looking through the debug logs from a device I keep seeing this message:

 

Info: Using default preferences. Some settings (e.g. certificate matching) may not function as expected if a local profile is expected to be used. Verify that the selected host is in the server list section of the profile and that the profile is configured on the secure gateway.

 

As well as:

 

[08-09-18 13:09:00:990] Info: Function: processResponseStringFromSG File: ConnectMgr.cpp Line: 11991 Client certificate requested by peer (via AggAuth)
[08-09-18 13:09:01:001] Info: Function: GetACIdentifierExts File: ACIdentifierExts.cpp Line: 372 device IMEI is not supported
[08-09-18 13:09:01:010] Info: Function: GetACIdentifierExts File: ACIdentifierExts.cpp Line: 189 device MAC address is not supported
[08-09-18 13:09:01:011] Info: Function: GetACIdentifierExts File: ACIdentifierExts.cpp Line: 209 device IMEI is not supported

 

[08-09-18 13:09:02:152] Warning: Function: getProfileNameFromHost File: ProfileMgr.cpp Line: 1250 No profile available for host New Cisco AnyConnect Test.
[08-09-18 13:09:02:152] Info: Function: getHostInitSettings File: ProfileMgr.cpp Line: 1334 Profile () not found. Using default settings.
[08-09-18 13:09:02:153] Info: Message type prompt sent to the user: Certificate Validation Failure

 

 

Is anyone able to shine any light on the issue at all? I really can't work it out, I was lead to believe the new AnyConnect Client would just work, but obviously not... 

 

Any help really appreciated. 

8 Replies 8

HI Allynl

We have same problem as you. Have you find any solution?

Unfortunately not, we have raised a case to Cisco Support and they haven't been much help either so far... :(

darthnugget
Level 1
Level 1

Same issue here. How many people are testing with a newly released Apple iOS device? I am able to connect using the App and the new iOS 12 on older devices but the latest New iPad Pro does not work and gives this message. Please reply with your device type.

This is still an issue. We tried using Iphone Configurator 2 to import user certificates from our CA server with no luck.

The user certificate is visible on the iPad VPN setting, but not on the new Cisco AnyConnect app.

At first we recognized it was because we were using SHA1, so we published new SHA256 from our CA server but still we cannot select the new SHA256 in Cisco AnyConnect.

Is it possible that AnyConnect do not have access to the Ipad cert store?

And is the only way to import certificates to the new app through an URL? that seems odd...

 

Hope someone is coming up with a solution, we cannot update our iPads to iOS 12 until this is fixed..

I found a work-around for this issue in our environment. We use certificates from our ASA as the CA. By allowing certificate enrollment on the ASA for a user, it generates an email message with certificate enrollment instructions. This includes a link to download the certificate from the ASA (which requires logging in with a one-time password, also included in the email message). If I we open that link in Chrome for IOS (not Safari), we can then choose to open the .p12 certificate it downloads using (Sharing to) the AnyConnect app. Once AnyConnect authenticates, it adds the certificate into AnyConnect's certificate store (not IOS' certificate store, as it used to do in IOS 11), and AnyConnect will then allow us to log into the VPN connection.

I am hoping to find a better solution for this, as in IOS 11 we used be able to download the certificate through the AnyConnect app directly using the "Get Certificate" button, but this is what works for us so far.

@mmcguire79 Thank you for your response.

We used to use Cisco ASA 5525 as our CA server, but it is not an option anymore since the ASA is not able to issue SHA256 user certificates (only SHA1- which is not an option in iOS12)..

If you are able to create SHA256 user certificates from your ASA, please do elaborate on which software versions and ASA you are using.

Would greatly appreciate that information

Actually, our user certificates are still SHA1.
I was not aware of IOS12 deprecating SHA1, but that does start to put the pieces together. I wonder if that is the reason I'm having difficulty installing certificates any other way than what I've found so far. That might explain why I can't connect and retrieve the certificates from the AnyConnect app and why when I do import them via the URL to the ASA and Chrome, the AnyConnect app uses its own certificate store for our user certificates separate from IOS' certificate store.

Are you able to connect via Anyconnect on a iOS12 device using SHA1?

If so how do you fill out the URL in the Anyconnect app on the iOS devcies to connect to your ASA? it that a local path or external IP?



We are still struggling to find a way to import the certificate to our Anyconnect app on our iPads using the URL funktion, since we have no interest in publishing the certificates outside our domain.

Would be nice if there were proper instructions to follow from Cisco




Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: