Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

AnyConnect and Certificate Authentication

ScottG67
Here to help
‎Nov 10 2022 12:57 PM
‎Nov 10 2022 12:57 PM

AnyConnect and Certificate Authentication

Hello All,

 

       I have an MX250 with firmware version 16.16.4 and a client of 4.10.05085. I have configured AnyConnect with SAML MFA. In this configuration I have a working AnyConnect setup. I now want to add Certificate Authentication. I have created a self signed CA certificate and added it to the Meraki MX device. 

 

ScottG67_1-1668112794492.png

 

I have then created a certificate issues by the CA I uploaded. I have added this new certificate to the Computer->personal certificate store. I have also added the CA certificate to the Computer -> Trusted Root Certification Authorities store. 

 

I now have a Certificate that is trusted and working on my machine; however, when I try to start a VPN connection I keep getting the error "No valid Certificates available for authentication."

 

I have disabled "Enable automatic certificate selection" so I make sure it is using the right cert; however, still no success. What am I missing here?

 

Thanks,

Scott

0 Kudos
Subscribe
5 Replies 5
alemabrahao
Kind of a big deal
Kind of a big deal
‎Nov 13 2022 4:00 AM
‎Nov 13 2022 4:00 AM

Take a look at this:

 

https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance/Managing_and_Troublesh...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
In response to alemabrahao
ScottG67
Here to help
‎Nov 14 2022 8:45 AM
‎Nov 14 2022 8:45 AM

Hello,

 

                I have followed this documentation when I configured the Meraki with the certificate required. When I upload the certificate I see the following on the console.

 

ScottG67_0-1668444271885.png

 

 

After I save the changes and refresh the page I see the following:

 

ScottG67_1-1668444271887.png

 

 

Is this last image saying that we do not have a certificate for this configuration now or that it has been uploaded and we do?

 

Thanks,

Scott

0 Kudos
Subscribe
In response to ScottG67
alemabrahao
Kind of a big deal
Kind of a big deal
‎Nov 14 2022 9:03 AM
‎Nov 14 2022 9:03 AM

Have you opened a support case? I'm almost right that It's correct, no Certificate will be shown after applying it, but I think you have to confirm with Meraki support.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
In response to alemabrahao
ScottG67
Here to help
‎Nov 15 2022 7:20 AM
‎Nov 15 2022 7:20 AM

I have opened a case and the technician I was talking to says everything I have done looks correct. They are going to try and reproduce the issue in a lab. Once I know the outcome I will post back for future cases.

0 Kudos
Subscribe
ScottG67
Here to help
‎Nov 30 2022 8:54 AM
‎Nov 30 2022 8:54 AM

I have solved this. The documentation provided here https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance/Authentication 

specifies that a .pem or .cer cert needs to be applied to the concentrator and a child cert needs to be applied to the endpoint. In the above document it has an image of a windows cert store with a cert highlighted, the issue here is that cert needs to have the private key with it. In the image you can see it is not there are only the cert is imported. Once I imported the cert and private key, thankfully I didn't need to me the private key exportable, I had a successful configuration.  

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.