08-09-2018 05:40 AM - edited 02-21-2020 09:26 PM
Hi guys,
I'm looking for some help please.
We have used the legacy AnyConnect App for iOS for a long time (before it was legacy) and we have used Certificate Authentication very happily.
We are now looking to move the current AnyConnect app, for iOS 12 etc. but we cannot get cert auth to work at all, even though it's the same cert for both apps.
The cert and VPN profile are pushed to the devices via an MDM solution and the devices are receiving the profile and the cert just fine. Both the legacy and new AnyConnect app can see the authentication cert fine as well.
Whenever we try to connect using the new AnyConnect app we receive the message:
This connection requires a client certificate, but no matching certificate could be found. Please modify the connection, choose a valid certificate or automatic certificate selection, and try again.
Looking through the debug logs from a device I keep seeing this message:
Info: Using default preferences. Some settings (e.g. certificate matching) may not function as expected if a local profile is expected to be used. Verify that the selected host is in the server list section of the profile and that the profile is configured on the secure gateway.
As well as:
[08-09-18 13:09:00:990] Info: Function: processResponseStringFromSG File: ConnectMgr.cpp Line: 11991 Client certificate requested by peer (via AggAuth)
[08-09-18 13:09:01:001] Info: Function: GetACIdentifierExts File: ACIdentifierExts.cpp Line: 372 device IMEI is not supported
[08-09-18 13:09:01:010] Info: Function: GetACIdentifierExts File: ACIdentifierExts.cpp Line: 189 device MAC address is not supported
[08-09-18 13:09:01:011] Info: Function: GetACIdentifierExts File: ACIdentifierExts.cpp Line: 209 device IMEI is not supported
[08-09-18 13:09:02:152] Warning: Function: getProfileNameFromHost File: ProfileMgr.cpp Line: 1250 No profile available for host New Cisco AnyConnect Test.
[08-09-18 13:09:02:152] Info: Function: getHostInitSettings File: ProfileMgr.cpp Line: 1334 Profile () not found. Using default settings.
[08-09-18 13:09:02:153] Info: Message type prompt sent to the user: Certificate Validation Failure
Is anyone able to shine any light on the issue at all? I really can't work it out, I was lead to believe the new AnyConnect Client would just work, but obviously not...
Any help really appreciated.
09-25-2018 07:42 AM
HI Allynl
We have same problem as you. Have you find any solution?
09-26-2018 02:10 AM - edited 09-26-2018 02:11 AM
Unfortunately not, we have raised a case to Cisco Support and they haven't been much help either so far... :(
11-08-2018 02:55 PM
Same issue here. How many people are testing with a newly released Apple iOS device? I am able to connect using the App and the new iOS 12 on older devices but the latest New iPad Pro does not work and gives this message. Please reply with your device type.
11-27-2018 05:50 AM
This is still an issue. We tried using Iphone Configurator 2 to import user certificates from our CA server with no luck.
The user certificate is visible on the iPad VPN setting, but not on the new Cisco AnyConnect app.
At first we recognized it was because we were using SHA1, so we published new SHA256 from our CA server but still we cannot select the new SHA256 in Cisco AnyConnect.
Is it possible that AnyConnect do not have access to the Ipad cert store?
And is the only way to import certificates to the new app through an URL? that seems odd...
Hope someone is coming up with a solution, we cannot update our iPads to iOS 12 until this is fixed..
11-27-2018 12:13 PM
11-28-2018 01:21 AM
@mmcguire79 Thank you for your response.
We used to use Cisco ASA 5525 as our CA server, but it is not an option anymore since the ASA is not able to issue SHA256 user certificates (only SHA1- which is not an option in iOS12)..
If you are able to create SHA256 user certificates from your ASA, please do elaborate on which software versions and ASA you are using.
Would greatly appreciate that information
11-28-2018 10:40 AM
12-03-2018 12:00 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: