AnyConnect with Certificate Authentication, SCEPman CA, Azure & MDM managed devices only

Solved
karls1
Conversationalist

AnyConnect with Certificate Authentication, SCEPman CA, Azure & MDM managed devices only

Hi,

 

Trying to configure AnyConnect with Certificate Authentication. Since there are no visible logs available from Meraki interface, I am unable to troubleshoot and understand what is really happening here. I have tried to contact Meraki support on several occasion, but have been met by agents without real knowledge or understanding about this, plus 1-2 hours wait time on the telephone with random disconnects. I guess beta features with beta support go hand in hand.

 

This gives me the opportunity to try and ask the Community to see if there is somebody out there that has a working configuration. I have been told by others that it should work, but they have not given any details about it so not sure. It seems so basic, but I just can't figure it out. Does anybody have some pointers? 

 

I have not tested if {{DeviceName}} should be added to SAN, or that the issue is that I really need a (public) Root CA and issue SCEPman with Intermediate CA Certificate (but Meraki documentation does not really mention the need for it). Anybody knows?

 

My configuration is as follows:

 

Spoiler
<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/">
	<ClientInitialization>
		<AuthenticationTimeout>60</AuthenticationTimeout>
		<AutomaticCertSelection>false</AutomaticCertSelection>
	</ClientInitialization>
	<ServerList>
		<HostEntry>
			<HostName>AnyConnect</HostName>
			<HostAddress>***.dynamic-m.com</HostAddress>
		</HostEntry>
	</ServerList>
</AnyConnectProfile>

 

When connecting, attempting both Machine and User certificate, gives the following Error:

Capture.PNG

The causing Error in Event Log I assume:

Function: ConnectMgr::certAuthHasFailed
File: c:\temp\build\thehoff\phoenix_fcs0.660176920511\phoenix_fcs\vpn\api\connectmgr.cpp
Line: 16651
Certificate authentication requested from gateway, no valid certs found in users cert store.

Here are Event Logs leading to the Error above - User certificate:

Certificate authentication requested from gateway, no valid certs found in users cert store.
Client certificate requested by peer (via AggAuth)
Issuer not found in CA Names from server for cert: /L={{AAD_Device_ID}}/CN={{User_Principal_Name}}
Client certificate requested by peer
Return success from VerifyServerCertificate
User Selected Certificate: *** USER CERT ***
Client certificate requested by peer (via AggAuth)
Client certificate requested by peer
Return success from VerifyServerCertificate

And Machine certificate:

Certificate authentication requested from gateway, no valid certs found in users cert store.
Client certificate requested by peer (via AggAuth)
[MCA] One certificate sent at protocol layer
Issuer not found in CA Names from server for cert: /CN={{AAD_Device_ID}}
Client certificate requested by peer
Return success from VerifyServerCertificate
User Selected Certificate: *** MACHINE CERT ***

 

 

 

1 Accepted Solution
FlyingDutchman
Here to help

Have you tried it with an Base64 encoded certificate from the CA?

FlyingDutchman_0-1628692383773.png

 

View solution in original post

15 Replies 15
PhilipDAth
Kind of a big deal
Kind of a big deal

The MX checks to see if the certificate presented by the client is signed by the CA certificate you upload to it.  That's it.

karls1
Conversationalist

Thank you for the suggestion PhilipDAth and Inderdeep. I checked with certutil on the Windows device, and the certificate and chain is verified and in order.

 

Just to double check there is no other unknown issues with it, I generated self-signed machine certificate with self-signed root CA signer, uploaded CA certificate to the MX and installed self-signed machine certificate on the device. Unfortunately no change.

JohnT
Getting noticed

I'm experiencing the same issue.  I have a Windows AD CA on my local domain.  I exported the root certificate and imported it into AnyConnect.  My laptop has a device certificate signed by the root authority.  Everything looks good, but it won't let me connect and I receive a certificate error.

PhilipDAth
Kind of a big deal
Kind of a big deal

Maybe something had been broken.

 

16.11 has some certificate fixes in it.  Could you try that please.

 

Otherwise I'll draw some attention to this thread.

JohnT
Getting noticed

I've tested on previous builds, and I'm on 16.11 now with no luck.  It's possible I'm doing something wrong or misunderstanding how this feature should work.

karls1
Conversationalist

I have tried version 16.8, 16.10 and 16.11. I have also disabled and re-enabled AnyConnect between each upgrade, and changed DDNS just in case if there was any issues with that (Meraki support suggested this).

 

I have never been able to get it to work though, which is why I am unsure on the configuration as per the thread start. 

FlyingDutchman
Here to help

Have you tried it with an Base64 encoded certificate from the CA?

FlyingDutchman_0-1628692383773.png

 

JohnT
Getting noticed

Good call on base 64, but that didn't seem to work either.  Same error.

FlyingDutchman
Here to help

I ve it working now..

Current version: MX 16.10 with Base 64 certificate and AnyConnect 4.10.00093

Maybe that helps 😉

JohnT
Getting noticed

@FlyingDutchman That's great news.  Did you export the CA Root with or without the private key?

FlyingDutchman
Here to help

Without. I took it from the MS AD Certificate Service: mydomaincontroller/certsrv - download CA certificate

 

You have a single Root CA in your environment? If not, you might need tho download it with the certificate chain.

JohnT
Getting noticed

Unfortunately, I'm not running the web enrollment feature so I don't have the web interface.  However, I can export the root CA with the MMC GUI, and also via the certutil command line with no luck.  I'm running a single CA and it seems to be functioning properly otherwise.  I'm not sure what else to do.

JimmyM
Getting noticed

Hi,

 

I recently tried to do that also. But without a CA.

With only a Self-Sign Root CA and a client certificate signed with this root CA.

 

It’s not the best way, but an easy way to get it done.

 

First, in Windows 10 with Powershell, generate a Root CA cert.

 

$cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature -Subject "CN=MerakiRootCert" -KeyExportPolicy Exportable -NotAfter (Get-Date).AddYears(15) -HashAlgorithm sha256 -KeyLength 2048 -CertStoreLocation "Cert:\CurrentUser\My" -KeyUsageProperty Sign -KeyUsage CertSign

 

Image-2021-08-11_19h05_001_JHO-CCTI-SF2.png

 

Don’t close your Powershell

 

This Self-sign root CA certificate will be stored in your user personal store.

 

Now export it on your desktop in Base64 format. No need to export private key.

 

Image-2021-08-11_19h18_2_JHO-CCTI-SF2.pngImage-2021-08-11_19h27_001_JHO-CCTI-SF2.png

 

Then Upload it on your Dashboard

 

Image-2021-08-11_19h29_002_JHO-CCTI-SF2.png

 

Now

 

Create a client certificate signed by the Self-sign root ca.

 

New-SelfSignedCertificate -Type Custom -DnsName MerakiChildCert -KeySpec Signature -Subject "CN=MerakiChildCert" -NotAfter (Get-Date).AddYears(15) -KeyExportPolicy Exportable -HashAlgorithm sha256 -KeyLength 2048 -CertStoreLocation "Cert:\CurrentUser\My" -Signer $cert -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.2")

 

Image-2021-08-11_19h33_001_JHO-CCTI-SF2.png

 

 

 

That it.

 

If you want to deploy the certificate to other computers, you can export it and import it manually or with a GPO.

 

Regards,

 

 

JimmyM
Getting noticed

You can use the exact same way to create Azure Client VPN.

 

Regards,

karls1
Conversationalist

Hahaha, that resolved it! I can now confirm it is working with version 16.11 and AnyConnect Client v4.10.00093. 

 

Those that use different CA, you can convert certificates manually with certutil.

 

 

certutil -encode filename.cer newfilename.cer

 

 

 

Thanks everyone!

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels