AnyConnect and Certificate Authentication

ScottG67
Here to help

AnyConnect and Certificate Authentication

Hello All,

 

       I have an MX250 with firmware version 16.16.4 and a client of 4.10.05085. I have configured AnyConnect with SAML MFA. In this configuration I have a working AnyConnect setup. I now want to add Certificate Authentication. I have created a self signed CA certificate and added it to the Meraki MX device. 

 

ScottG67_1-1668112794492.png

 

I have then created a certificate issues by the CA I uploaded. I have added this new certificate to the Computer->personal certificate store. I have also added the CA certificate to the Computer -> Trusted Root Certification Authorities store. 

 

I now have a Certificate that is trusted and working on my machine; however, when I try to start a VPN connection I keep getting the error "No valid Certificates available for authentication."

 

I have disabled "Enable automatic certificate selection" so I make sure it is using the right cert; however, still no success. What am I missing here?

 

Thanks,

Scott

5 Replies 5
alemabrahao
Kind of a big deal
Kind of a big deal

Take a look at this:

 

https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance/Managing_and_Troublesh...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
ScottG67
Here to help

Hello,

 

                I have followed this documentation when I configured the Meraki with the certificate required. When I upload the certificate I see the following on the console.

 

ScottG67_0-1668444271885.png

 

 

After I save the changes and refresh the page I see the following:

 

ScottG67_1-1668444271887.png

 

 

Is this last image saying that we do not have a certificate for this configuration now or that it has been uploaded and we do?

 

Thanks,

Scott

alemabrahao
Kind of a big deal
Kind of a big deal

Have you opened a support case? I'm almost right that It's correct, no Certificate will be shown after applying it, but I think you have to confirm with Meraki support.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
ScottG67
Here to help

I have opened a case and the technician I was talking to says everything I have done looks correct. They are going to try and reproduce the issue in a lab. Once I know the outcome I will post back for future cases.

ScottG67
Here to help

I have solved this. The documentation provided here https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance/Authentication 

specifies that a .pem or .cer cert needs to be applied to the concentrator and a child cert needs to be applied to the endpoint. In the above document it has an image of a windows cert store with a cert highlighted, the issue here is that cert needs to have the private key with it. In the image you can see it is not there are only the cert is imported. Once I imported the cert and private key, thankfully I didn't need to me the private key exportable, I had a successful configuration.  

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels