Meraki

Community

AnyConnect with Certificate Authentication, SCEPman CA, Azure & MDM managed devices only

Solved
karls1
Conversationalist
‎Aug 10 2021 4:42 AM
‎Aug 10 2021 4:42 AM

AnyConnect with Certificate Authentication, SCEPman CA, Azure & MDM managed devices only

Hi,

 

Trying to configure AnyConnect with Certificate Authentication. Since there are no visible logs available from Meraki interface, I am unable to troubleshoot and understand what is really happening here. I have tried to contact Meraki support on several occasion, but have been met by agents without real knowledge or understanding about this, plus 1-2 hours wait time on the telephone with random disconnects. I guess beta features with beta support go hand in hand.

 

This gives me the opportunity to try and ask the Community to see if there is somebody out there that has a working configuration. I have been told by others that it should work, but they have not given any details about it so not sure. It seems so basic, but I just can't figure it out. Does anybody have some pointers? 

 

I have not tested if {{DeviceName}} should be added to SAN, or that the issue is that I really need a (public) Root CA and issue SCEPman with Intermediate CA Certificate (but Meraki documentation does not really mention the need for it). Anybody knows?

 

My configuration is as follows:

 

Spoiler
<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/">
	<ClientInitialization>
		<AuthenticationTimeout>60</AuthenticationTimeout>
		<AutomaticCertSelection>false</AutomaticCertSelection>
	</ClientInitialization>
	<ServerList>
		<HostEntry>
			<HostName>AnyConnect</HostName>
			<HostAddress>***.dynamic-m.com</HostAddress>
		</HostEntry>
	</ServerList>
</AnyConnectProfile>

 

When connecting, attempting both Machine and User certificate, gives the following Error:

Capture.PNG

The causing Error in Event Log I assume:

Function: ConnectMgr::certAuthHasFailed
File: c:\temp\build\thehoff\phoenix_fcs0.660176920511\phoenix_fcs\vpn\api\connectmgr.cpp
Line: 16651
Certificate authentication requested from gateway, no valid certs found in users cert store.

Here are Event Logs leading to the Error above - User certificate:

Certificate authentication requested from gateway, no valid certs found in users cert store.
Client certificate requested by peer (via AggAuth)
Issuer not found in CA Names from server for cert: /L={{AAD_Device_ID}}/CN={{User_Principal_Name}}
Client certificate requested by peer
Return success from VerifyServerCertificate
User Selected Certificate: *** USER CERT ***
Client certificate requested by peer (via AggAuth)
Client certificate requested by peer
Return success from VerifyServerCertificate

And Machine certificate:

Certificate authentication requested from gateway, no valid certs found in users cert store.
Client certificate requested by peer (via AggAuth)
[MCA] One certificate sent at protocol layer
Issuer not found in CA Names from server for cert: /CN={{AAD_Device_ID}}
Client certificate requested by peer
Return success from VerifyServerCertificate
User Selected Certificate: *** MACHINE CERT ***

 

 

 

Labels:
1 Accepted Solution
In response to karls1
FlyingDutchman
Here to help
‎Aug 11 2021 7:33 AM
‎Aug 11 2021 7:33 AM

Have you tried it with an Base64 encoded certificate from the CA?

FlyingDutchman_0-1628692383773.png

 

View solution in original post

0 Kudos
15 Replies 15
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Aug 10 2021 6:22 AM
‎Aug 10 2021 6:22 AM

The MX checks to see if the certificate presented by the client is signed by the CA certificate you upload to it.  That's it.

0 Kudos
karls1
Conversationalist
‎Aug 10 2021 10:12 AM
‎Aug 10 2021 10:12 AM

Thank you for the suggestion PhilipDAth and Inderdeep. I checked with certutil on the Windows device, and the certificate and chain is verified and in order.

 

Just to double check there is no other unknown issues with it, I generated self-signed machine certificate with self-signed root CA signer, uploaded CA certificate to the MX and installed self-signed machine certificate on the device. Unfortunately no change.

0 Kudos
JohnT
Getting noticed
‎Aug 10 2021 11:26 AM
‎Aug 10 2021 11:26 AM

I'm experiencing the same issue.  I have a Windows AD CA on my local domain.  I exported the root certificate and imported it into AnyConnect.  My laptop has a device certificate signed by the root authority.  Everything looks good, but it won't let me connect and I receive a certificate error.

0 Kudos
In response to JohnT
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Aug 10 2021 12:31 PM
‎Aug 10 2021 12:31 PM

Maybe something had been broken.

 

16.11 has some certificate fixes in it.  Could you try that please.

 

Otherwise I'll draw some attention to this thread.

0 Kudos
In response to PhilipDAth
JohnT
Getting noticed
‎Aug 10 2021 2:25 PM
‎Aug 10 2021 2:25 PM

I've tested on previous builds, and I'm on 16.11 now with no luck.  It's possible I'm doing something wrong or misunderstanding how this feature should work.

0 Kudos
In response to PhilipDAth
karls1
Conversationalist
‎Aug 10 2021 3:19 PM
‎Aug 10 2021 3:19 PM

I have tried version 16.8, 16.10 and 16.11. I have also disabled and re-enabled AnyConnect between each upgrade, and changed DDNS just in case if there was any issues with that (Meraki support suggested this).

 

I have never been able to get it to work though, which is why I am unsure on the configuration as per the thread start. 

0 Kudos
In response to karls1
FlyingDutchman
Here to help
‎Aug 11 2021 7:33 AM
‎Aug 11 2021 7:33 AM

Have you tried it with an Base64 encoded certificate from the CA?

FlyingDutchman_0-1628692383773.png

 

0 Kudos
In response to FlyingDutchman
JohnT
Getting noticed
‎Aug 11 2021 8:14 AM
‎Aug 11 2021 8:14 AM

Good call on base 64, but that didn't seem to work either.  Same error.

0 Kudos
In response to JohnT
FlyingDutchman
Here to help
‎Aug 11 2021 8:29 AM
‎Aug 11 2021 8:29 AM

I ve it working now..

Current version: MX 16.10 with Base 64 certificate and AnyConnect 4.10.00093

Maybe that helps 😉

0 Kudos
In response to FlyingDutchman
JohnT
Getting noticed
‎Aug 11 2021 9:17 AM
‎Aug 11 2021 9:17 AM

@FlyingDutchman That's great news.  Did you export the CA Root with or without the private key?

0 Kudos
In response to JohnT
FlyingDutchman
Here to help
‎Aug 11 2021 9:21 AM
‎Aug 11 2021 9:21 AM

Without. I took it from the MS AD Certificate Service: mydomaincontroller/certsrv - download CA certificate

 

You have a single Root CA in your environment? If not, you might need tho download it with the certificate chain.

0 Kudos
In response to FlyingDutchman
JohnT
Getting noticed
‎Aug 11 2021 3:05 PM
‎Aug 11 2021 3:05 PM

Unfortunately, I'm not running the web enrollment feature so I don't have the web interface.  However, I can export the root CA with the MMC GUI, and also via the certutil command line with no luck.  I'm running a single CA and it seems to be functioning properly otherwise.  I'm not sure what else to do.

0 Kudos
In response to JohnT
JimmyM
Getting noticed
‎Aug 11 2021 4:46 PM
‎Aug 11 2021 4:46 PM

Hi,

 

I recently tried to do that also. But without a CA.

With only a Self-Sign Root CA and a client certificate signed with this root CA.

 

It’s not the best way, but an easy way to get it done.

 

First, in Windows 10 with Powershell, generate a Root CA cert.

 

$cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature -Subject "CN=MerakiRootCert" -KeyExportPolicy Exportable -NotAfter (Get-Date).AddYears(15) -HashAlgorithm sha256 -KeyLength 2048 -CertStoreLocation "Cert:\CurrentUser\My" -KeyUsageProperty Sign -KeyUsage CertSign

 

Image-2021-08-11_19h05_001_JHO-CCTI-SF2.png

 

Don’t close your Powershell

 

This Self-sign root CA certificate will be stored in your user personal store.

 

Now export it on your desktop in Base64 format. No need to export private key.

 

Image-2021-08-11_19h18_2_JHO-CCTI-SF2.pngImage-2021-08-11_19h27_001_JHO-CCTI-SF2.png

 

Then Upload it on your Dashboard

 

Image-2021-08-11_19h29_002_JHO-CCTI-SF2.png

 

Now

 

Create a client certificate signed by the Self-sign root ca.

 

New-SelfSignedCertificate -Type Custom -DnsName MerakiChildCert -KeySpec Signature -Subject "CN=MerakiChildCert" -NotAfter (Get-Date).AddYears(15) -KeyExportPolicy Exportable -HashAlgorithm sha256 -KeyLength 2048 -CertStoreLocation "Cert:\CurrentUser\My" -Signer $cert -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.2")

 

Image-2021-08-11_19h33_001_JHO-CCTI-SF2.png

 

 

 

That it.

 

If you want to deploy the certificate to other computers, you can export it and import it manually or with a GPO.

 

Regards,

 

 

In response to JimmyM
JimmyM
Getting noticed
‎Aug 11 2021 4:49 PM
‎Aug 11 2021 4:49 PM

You can use the exact same way to create Azure Client VPN.

 

Regards,

0 Kudos
In response to FlyingDutchman
karls1
Conversationalist
‎Aug 12 2021 1:55 AM
‎Aug 12 2021 1:55 AM

Hahaha, that resolved it! I can now confirm it is working with version 16.11 and AnyConnect Client v4.10.00093. 

 

Those that use different CA, you can convert certificates manually with certutil.

 

 

certutil -encode filename.cer newfilename.cer

 

 

 

Thanks everyone!

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.