Meraki

Mike-M · ‎Apr 1 2022

Hi

I'm stumped so wanted to reach out to the community in hopes that someone has some wisdom or guidance to share.

I'm testing AnyConnect VPN with Certificate Authentication. This is on a MX250 running v16.16 firmware and AnyConnect Client v4.10.05085 for Windows. Using a self-signed root certificate (uploaded to MX as a pem file) and a self-signed client certificate (installed to the Windows PC in Computer/Personal certificate store), it works like a champ!

However, for better certificate management and deployment experience, there's a preference to try and use Microsoft CA Services to deploy the client certificates. With this in mind, I:

Exported the root certificate from the Microsoft CA Server (exported as Base64, renamed extension to pem)
Uploaded the root certificate to the MX
Installed a client certificate from the same CA server that signed the root certificate. It was installed to my test PC's Computer/Personal Certificate Store. The CA Root Certificate is also installed on this PC
Attempted to establish an AnyConnect Client VPN - FAILS with "no valid certificate" dialogue.

If anyone has had any success with using an exported CA root certificate from a Microsoft CA server (Server 2016) and client certificate issued from same CA server , I'd appreciate any thoughts on how you got it working or if I've overlooked something.

Thanks!

PhilipDAth · ‎Apr 4 2022

The trusted CA certificate should be able to go into the machine store. That is global. The user certificate must go into the user certificate store.

>is there a best practice approach to prevent a non-privileged user from exporting the User certificates for install on a non-approved device

When you import the user certificate, untick the option that allows the private key to be exported.

>With AnyConnect/ASA, I recall that Dynamic Access Policies could further "inspect" the endpoint

You can do something similar if you use Cisco Duo Beyond for the AnyConnect MFA, and configure AnyConnect to use SAML against Duo.

https://duo.com/docs/beyond-overview

https://duo.com/docs/device-health

https://documentation.meraki.com/MX/AnyConnect_on_the_MX_Appliance/Authentication

View solution in original post

PhilipDAth · ‎Apr 3 2022

Did you definitely install a user certificate into the user certificate store on the machine - as opposed to the machine certificate store?

Mike-M · ‎Apr 4 2022

Thanks for the helpful feedback. During my initial testing with the self-signed certificates, I installed those to the Machine certificate store. Since AnyConnect worked in that configuration, I proceeded to install the CA signed certificates to the Computer store as well. In hindsight, I suspect that I was signed into the machine as an admin which made those self-signed certificates in the Computer store accessible to AnyConnect.

What you suggested (installing the CA certs to User certificate store) worked so thank you for pointing me in the right direction.

With the new understanding that the User certificate store is where the CA certificates need to be, is there a best practice approach to prevent a non-privileged user from exporting the User certificates for install on a non-approved device?

In the end, we're aiming to limit AnyConnect VPN to just corporate assets. With AnyConnect/ASA, I recall that Dynamic Access Policies could further "inspect" the endpoint but that feature doesn't exist in Meraki's AnyConnect implementation.

PhilipDAth · ‎Apr 4 2022