Meraki

Community

Meraki AnyConnect Certificate Validation Error

rhamersley
Getting noticed
‎Jun 10 2024 7:21 AM
‎Jun 10 2024 7:21 AM

Meraki AnyConnect Certificate Validation Error

In our environment we have certificate validation authentication enabled.   We have random users receiving "Certificate Validation Error" messages about once a week in our environment.   We have about 75 users VPN into our network and why would a random user receive this error message.   If one user cannot authenticate using the cert wouldn't if affect all users trying to VPN into our network?

 

rhamersley_0-1718029256924.png

 

0 Kudos
13 Replies 13
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jun 10 2024 7:23 AM
‎Jun 10 2024 7:23 AM

Open a support case. They will assist you.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jun 10 2024 7:31 AM
‎Jun 10 2024 7:31 AM

Also check these links.

 

AnyConnect Troubleshooting Guide - Cisco Meraki Documentation

 

https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance/Managing_and_Troublesh...

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
rhamersley
Getting noticed
‎Jun 10 2024 7:39 AM
‎Jun 10 2024 7:39 AM

I would like to see if this Certificate Authentication Error message has been encountered in other environments and what other users have done to fix this issue.   

 

I know I could do the following:

* Disable the certificate authentication altogether and the user will successfully VPN into the network but that doesnt actually tell me why this only affected one user and not every user that has to perform the certificate authentication method. 

 

User has rebooted device multiple times to see if it was a certificate service issue on the users laptop, but that was not the issue either.

 

0 Kudos
In response to rhamersley
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jun 10 2024 7:41 AM
‎Jun 10 2024 7:41 AM

Check the links I sent you, there you will find the troubleshooting steps.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jun 10 2024 2:12 PM
‎Jun 10 2024 2:12 PM

I have seen this when a client has multiple certificates installed, and AnYConnect is not sure which one to select.

 

You might need to create a profile with a certificate selection rule.  I typically match on the issuing CA.

0 Kudos
In response to PhilipDAth
rhamersley
Getting noticed
‎Jun 11 2024 4:18 AM
‎Jun 11 2024 4:18 AM

Philip!...I like this idea....I do have one question will it automatically match the cert by updating the XML profile or will it show a cert as a pop up and the user will need to select the correct cert to complete the authentication.

0 Kudos
In response to rhamersley
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jun 11 2024 3:42 PM
‎Jun 11 2024 3:42 PM

The user will get no prompts (they only get prompts if you disable automatic certificate selection).

 

Lucky for you, I had to do such a deployment yesterday.  The important bit in the profile XML is:

 

<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/"
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/AnyConnectProfile.xsd">
	<ClientInitialization>
		<CertificateMatch>
			<KeyUsage>
	    	<MatchKey>Key_Encipherment</MatchKey>
	    	<MatchKey>Digital_Signature</MatchKey>
			</KeyUsage>
	    <ExtendedKeyUsage>
	    	<ExtendedMatchKey>ClientAuth</ExtendedMatchKey>
	    </ExtendedKeyUsage>
	    <DistinguishedName>
	    	<DistinguishedNameDefinition Operator="Equal" Wildcard="Disabled" MatchCase="Disabled">
	    		<Name>ISSUER-CN</Name>
	      	<Pattern> *** any bit of the text from the name of your CA *** </Pattern>
	      </DistinguishedNameDefinition>
	    </DistinguishedName>
		</CertificateMatch>
	</ClientInitialization>
	
	<ServerList>
...
	</ServerList>

</AnyConnectProfile>

 

0 Kudos
In response to PhilipDAth
rhamersley
Getting noticed
‎Jun 12 2024 7:56 AM
‎Jun 12 2024 7:56 AM

Philip!  Thank you So much for this information.  Yes I do not want to prompt the user for anything.   We had another CERT AUTHENTICATION failure today.  

 

If I could quickly confirm with you.  The CERTIFICATE(.PEM File) I have uploaded into the Meraki Dashboard here.

 

 

rhamersley_1-1718203605149.png

 

 

Since this is the first time updating our XML profile could you confirm the setting.

 

Open XML Profile editor...

Gone to Certificate Pinning

Imported my certificate here

 

Is that correct?

 

rhamersley_2-1718204134429.png

 

 

 

 

 

0 Kudos
In response to rhamersley
rhamersley
Getting noticed
‎Jun 12 2024 8:22 AM
‎Jun 12 2024 8:22 AM

Looks like "Pinning" the Cert to the XML file does not work.  Received this error message while testing.

 

rhamersley_0-1718205707761.png

 

 

 

In response to rhamersley
rhamersley
Getting noticed
‎Jun 12 2024 9:25 AM
‎Jun 12 2024 9:25 AM

Philip....What do you mean "Any bit of the text from the name of your CA ***???

 

 

rhamersley_1-1718209550827.png

 

0 Kudos
In response to rhamersley
rhamersley
Getting noticed
‎Jun 12 2024 9:28 AM
‎Jun 12 2024 9:28 AM

This is what I currently have...the name of our certificate issuer.

 

rhamersley_2-1718209716220.png

 

0 Kudos
In response to PhilipDAth
rhamersley
Getting noticed
‎Jun 12 2024 10:16 AM
‎Jun 12 2024 10:16 AM

It WORKED PHILIP!!!

 

I do have a question how do we know it is actually reading the CERT from the workstation?   We have the CERT authentication enabled in the Meraki Dashboard but is there anyway we can confirm its still reading the CERT?   

 

Below is my configuration that I was able to successfully VPN into our network with the CERT authentication option enabled in the Meraki Dashboard.

 

rhamersley_1-1718212590296.png

 

 

In response to rhamersley
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jun 13 2024 1:55 PM
‎Jun 13 2024 1:55 PM

Well done!

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.