In our environment we have certificate validation authentication enabled. We have random users receiving "Certificate Validation Error" messages about once a week in our environment. We have about 75 users VPN into our network and why would a random user receive this error message. If one user cannot authenticate using the cert wouldn't if affect all users trying to VPN into our network?
Open a support case. They will assist you.
Also check these links.
AnyConnect Troubleshooting Guide - Cisco Meraki Documentation
I would like to see if this Certificate Authentication Error message has been encountered in other environments and what other users have done to fix this issue.
I know I could do the following:
* Disable the certificate authentication altogether and the user will successfully VPN into the network but that doesnt actually tell me why this only affected one user and not every user that has to perform the certificate authentication method.
User has rebooted device multiple times to see if it was a certificate service issue on the users laptop, but that was not the issue either.
Check the links I sent you, there you will find the troubleshooting steps.
I have seen this when a client has multiple certificates installed, and AnYConnect is not sure which one to select.
You might need to create a profile with a certificate selection rule. I typically match on the issuing CA.
Philip!...I like this idea....I do have one question will it automatically match the cert by updating the XML profile or will it show a cert as a pop up and the user will need to select the correct cert to complete the authentication.
The user will get no prompts (they only get prompts if you disable automatic certificate selection).
Lucky for you, I had to do such a deployment yesterday. The important bit in the profile XML is:
<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/AnyConnectProfile.xsd">
<ClientInitialization>
<CertificateMatch>
<KeyUsage>
<MatchKey>Key_Encipherment</MatchKey>
<MatchKey>Digital_Signature</MatchKey>
</KeyUsage>
<ExtendedKeyUsage>
<ExtendedMatchKey>ClientAuth</ExtendedMatchKey>
</ExtendedKeyUsage>
<DistinguishedName>
<DistinguishedNameDefinition Operator="Equal" Wildcard="Disabled" MatchCase="Disabled">
<Name>ISSUER-CN</Name>
<Pattern> *** any bit of the text from the name of your CA *** </Pattern>
</DistinguishedNameDefinition>
</DistinguishedName>
</CertificateMatch>
</ClientInitialization>
<ServerList>
...
</ServerList>
</AnyConnectProfile>
Philip! Thank you So much for this information. Yes I do not want to prompt the user for anything. We had another CERT AUTHENTICATION failure today.
If I could quickly confirm with you. The CERTIFICATE(.PEM File) I have uploaded into the Meraki Dashboard here.
Since this is the first time updating our XML profile could you confirm the setting.
Open XML Profile editor...
Gone to Certificate Pinning
Imported my certificate here
Is that correct?
Looks like "Pinning" the Cert to the XML file does not work. Received this error message while testing.
Philip....What do you mean "Any bit of the text from the name of your CA ***???
This is what I currently have...the name of our certificate issuer.
It WORKED PHILIP!!!
I do have a question how do we know it is actually reading the CERT from the workstation? We have the CERT authentication enabled in the Meraki Dashboard but is there anyway we can confirm its still reading the CERT?
Below is my configuration that I was able to successfully VPN into our network with the CERT authentication option enabled in the Meraki Dashboard.
Well done!