Hi,
Trying to configure AnyConnect with Certificate Authentication. Since there are no visible logs available from Meraki interface, I am unable to troubleshoot and understand what is really happening here. I have tried to contact Meraki support on several occasion, but have been met by agents without real knowledge or understanding about this, plus 1-2 hours wait time on the telephone with random disconnects. I guess beta features with beta support go hand in hand.
This gives me the opportunity to try and ask the Community to see if there is somebody out there that has a working configuration. I have been told by others that it should work, but they have not given any details about it so not sure. It seems so basic, but I just can't figure it out. Does anybody have some pointers?
I have not tested if {{DeviceName}} should be added to SAN, or that the issue is that I really need a (public) Root CA and issue SCEPman with Intermediate CA Certificate (but Meraki documentation does not really mention the need for it). Anybody knows?
My configuration is as follows:
<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/">
<ClientInitialization>
<AuthenticationTimeout>60</AuthenticationTimeout>
<AutomaticCertSelection>false</AutomaticCertSelection>
</ClientInitialization>
<ServerList>
<HostEntry>
<HostName>AnyConnect</HostName>
<HostAddress>***.dynamic-m.com</HostAddress>
</HostEntry>
</ServerList>
</AnyConnectProfile>
When connecting, attempting both Machine and User certificate, gives the following Error:
The causing Error in Event Log I assume:
Function: ConnectMgr::certAuthHasFailed
File: c:\temp\build\thehoff\phoenix_fcs0.660176920511\phoenix_fcs\vpn\api\connectmgr.cpp
Line: 16651
Certificate authentication requested from gateway, no valid certs found in users cert store.
Here are Event Logs leading to the Error above - User certificate:
Certificate authentication requested from gateway, no valid certs found in users cert store.
Client certificate requested by peer (via AggAuth)
Issuer not found in CA Names from server for cert: /L={{AAD_Device_ID}}/CN={{User_Principal_Name}}
Client certificate requested by peer
Return success from VerifyServerCertificate
User Selected Certificate: *** USER CERT ***
Client certificate requested by peer (via AggAuth)
Client certificate requested by peer
Return success from VerifyServerCertificate
And Machine certificate:
Certificate authentication requested from gateway, no valid certs found in users cert store.
Client certificate requested by peer (via AggAuth)
[MCA] One certificate sent at protocol layer
Issuer not found in CA Names from server for cert: /CN={{AAD_Device_ID}}
Client certificate requested by peer
Return success from VerifyServerCertificate
User Selected Certificate: *** MACHINE CERT ***
Solved! Go to solution.
The MX checks to see if the certificate presented by the client is signed by the CA certificate you upload to it. That's it.
Thank you for the suggestion PhilipDAth and Inderdeep. I checked with certutil on the Windows device, and the certificate and chain is verified and in order.
Just to double check there is no other unknown issues with it, I generated self-signed machine certificate with self-signed root CA signer, uploaded CA certificate to the MX and installed self-signed machine certificate on the device. Unfortunately no change.
I'm experiencing the same issue. I have a Windows AD CA on my local domain. I exported the root certificate and imported it into AnyConnect. My laptop has a device certificate signed by the root authority. Everything looks good, but it won't let me connect and I receive a certificate error.
Maybe something had been broken.
16.11 has some certificate fixes in it. Could you try that please.
Otherwise I'll draw some attention to this thread.
I've tested on previous builds, and I'm on 16.11 now with no luck. It's possible I'm doing something wrong or misunderstanding how this feature should work.
I have tried version 16.8, 16.10 and 16.11. I have also disabled and re-enabled AnyConnect between each upgrade, and changed DDNS just in case if there was any issues with that (Meraki support suggested this).
I have never been able to get it to work though, which is why I am unsure on the configuration as per the thread start.
Have you tried it with an Base64 encoded certificate from the CA?
Good call on base 64, but that didn't seem to work either. Same error.
I ve it working now..
Current version: MX 16.10 with Base 64 certificate and AnyConnect 4.10.00093
Maybe that helps 😉
@FlyingDutchman That's great news. Did you export the CA Root with or without the private key?
Without. I took it from the MS AD Certificate Service: mydomaincontroller/certsrv - download CA certificate
You have a single Root CA in your environment? If not, you might need tho download it with the certificate chain.
Unfortunately, I'm not running the web enrollment feature so I don't have the web interface. However, I can export the root CA with the MMC GUI, and also via the certutil command line with no luck. I'm running a single CA and it seems to be functioning properly otherwise. I'm not sure what else to do.
Hi,
I recently tried to do that also. But without a CA.
With only a Self-Sign Root CA and a client certificate signed with this root CA.
It’s not the best way, but an easy way to get it done.
First, in Windows 10 with Powershell, generate a Root CA cert.
$cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature -Subject "CN=MerakiRootCert" -KeyExportPolicy Exportable -NotAfter (Get-Date).AddYears(15) -HashAlgorithm sha256 -KeyLength 2048 -CertStoreLocation "Cert:\CurrentUser\My" -KeyUsageProperty Sign -KeyUsage CertSign
Don’t close your Powershell
This Self-sign root CA certificate will be stored in your user personal store.
Now export it on your desktop in Base64 format. No need to export private key.
Then Upload it on your Dashboard
Now
Create a client certificate signed by the Self-sign root ca.
New-SelfSignedCertificate -Type Custom -DnsName MerakiChildCert -KeySpec Signature -Subject "CN=MerakiChildCert" -NotAfter (Get-Date).AddYears(15) -KeyExportPolicy Exportable -HashAlgorithm sha256 -KeyLength 2048 -CertStoreLocation "Cert:\CurrentUser\My" -Signer $cert -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.2")
That it.
If you want to deploy the certificate to other computers, you can export it and import it manually or with a GPO.
Regards,
You can use the exact same way to create Azure Client VPN.
Regards,
Hahaha, that resolved it! I can now confirm it is working with version 16.11 and AnyConnect Client v4.10.00093.
Those that use different CA, you can convert certificates manually with certutil.
certutil -encode filename.cer newfilename.cer
Thanks everyone!