Meraki AnyConnect Certificate Validation Error

rhamersley
Getting noticed

Meraki AnyConnect Certificate Validation Error

In our environment we have certificate validation authentication enabled.   We have random users receiving "Certificate Validation Error" messages about once a week in our environment.   We have about 75 users VPN into our network and why would a random user receive this error message.   If one user cannot authenticate using the cert wouldn't if affect all users trying to VPN into our network?

 

rhamersley_0-1718029256924.png

 

13 Replies 13
alemabrahao
Kind of a big deal
Kind of a big deal

Open a support case. They will assist you.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
alemabrahao
Kind of a big deal
Kind of a big deal

Also check these links.

 

AnyConnect Troubleshooting Guide - Cisco Meraki Documentation

 

https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance/Managing_and_Troublesh...

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
rhamersley
Getting noticed

I would like to see if this Certificate Authentication Error message has been encountered in other environments and what other users have done to fix this issue.   

 

I know I could do the following:

* Disable the certificate authentication altogether and the user will successfully VPN into the network but that doesnt actually tell me why this only affected one user and not every user that has to perform the certificate authentication method. 

 

User has rebooted device multiple times to see if it was a certificate service issue on the users laptop, but that was not the issue either.

 

Check the links I sent you, there you will find the troubleshooting steps.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
PhilipDAth
Kind of a big deal
Kind of a big deal

I have seen this when a client has multiple certificates installed, and AnYConnect is not sure which one to select.

 

You might need to create a profile with a certificate selection rule.  I typically match on the issuing CA.

Philip!...I like this idea....I do have one question will it automatically match the cert by updating the XML profile or will it show a cert as a pop up and the user will need to select the correct cert to complete the authentication.

The user will get no prompts (they only get prompts if you disable automatic certificate selection).

 

Lucky for you, I had to do such a deployment yesterday.  The important bit in the profile XML is:

 

<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/"
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/AnyConnectProfile.xsd">
	<ClientInitialization>
		<CertificateMatch>
			<KeyUsage>
	    	<MatchKey>Key_Encipherment</MatchKey>
	    	<MatchKey>Digital_Signature</MatchKey>
			</KeyUsage>
	    <ExtendedKeyUsage>
	    	<ExtendedMatchKey>ClientAuth</ExtendedMatchKey>
	    </ExtendedKeyUsage>
	    <DistinguishedName>
	    	<DistinguishedNameDefinition Operator="Equal" Wildcard="Disabled" MatchCase="Disabled">
	    		<Name>ISSUER-CN</Name>
	      	<Pattern> *** any bit of the text from the name of your CA *** </Pattern>
	      </DistinguishedNameDefinition>
	    </DistinguishedName>
		</CertificateMatch>
	</ClientInitialization>
	
	<ServerList>
...
	</ServerList>

</AnyConnectProfile>

 

Philip!  Thank you So much for this information.  Yes I do not want to prompt the user for anything.   We had another CERT AUTHENTICATION failure today.  

 

If I could quickly confirm with you.  The CERTIFICATE(.PEM File) I have uploaded into the Meraki Dashboard here.

 

 

rhamersley_1-1718203605149.png

 

 

Since this is the first time updating our XML profile could you confirm the setting.

 

Open XML Profile editor...

Gone to Certificate Pinning

Imported my certificate here

 

Is that correct?

 

rhamersley_2-1718204134429.png

 

 

 

 

 

Looks like "Pinning" the Cert to the XML file does not work.  Received this error message while testing.

 

rhamersley_0-1718205707761.png

 

 

 

Philip....What do you mean "Any bit of the text from the name of your CA ***???

 

 

rhamersley_1-1718209550827.png

 

This is what I currently have...the name of our certificate issuer.

 

rhamersley_2-1718209716220.png

 

It WORKED PHILIP!!!

 

I do have a question how do we know it is actually reading the CERT from the workstation?   We have the CERT authentication enabled in the Meraki Dashboard but is there anyway we can confirm its still reading the CERT?   

 

Below is my configuration that I was able to successfully VPN into our network with the CERT authentication option enabled in the Meraki Dashboard.

 

rhamersley_1-1718212590296.png

 

 

Well done!

Get notified when there are additional replies to this discussion.