Meraki Community

rhamersley

In our environment we have certificate validation authentication enabled. We have random users receiving "Certificate Validation Error" messages about once a week in our environment. We have about 75 users VPN into our network and why would a random user receive this error message. If one user cannot authenticate using the cert wouldn't if affect all users trying to VPN into our network?

alemabrahao

Open a support case. They will assist you.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

alemabrahao

Also check these links.

AnyConnect Troubleshooting Guide - Cisco Meraki Documentation

https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance/Managing_and_Troublesh...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

rhamersley

I would like to see if this Certificate Authentication Error message has been encountered in other environments and what other users have done to fix this issue.

I know I could do the following:

* Disable the certificate authentication altogether and the user will successfully VPN into the network but that doesnt actually tell me why this only affected one user and not every user that has to perform the certificate authentication method.

User has rebooted device multiple times to see if it was a certificate service issue on the users laptop, but that was not the issue either.

alemabrahao

Check the links I sent you, there you will find the troubleshooting steps.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

PhilipDAth

I have seen this when a client has multiple certificates installed, and AnYConnect is not sure which one to select.

You might need to create a profile with a certificate selection rule. I typically match on the issuing CA.

rhamersley

Philip!...I like this idea....I do have one question will it automatically match the cert by updating the XML profile or will it show a cert as a pop up and the user will need to select the correct cert to complete the authentication.

PhilipDAth

The user will get no prompts (they only get prompts if you disable automatic certificate selection).

Lucky for you, I had to do such a deployment yesterday. The important bit in the profile XML is:

<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/"
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/AnyConnectProfile.xsd">
	<ClientInitialization>
		<CertificateMatch>
			<KeyUsage>
	    	<MatchKey>Key_Encipherment</MatchKey>
	    	<MatchKey>Digital_Signature</MatchKey>
			</KeyUsage>
	    <ExtendedKeyUsage>
	    	<ExtendedMatchKey>ClientAuth</ExtendedMatchKey>
	    </ExtendedKeyUsage>
	    <DistinguishedName>
	    	<DistinguishedNameDefinition Operator="Equal" Wildcard="Disabled" MatchCase="Disabled">
	    		<Name>ISSUER-CN</Name>
	      	<Pattern> *** any bit of the text from the name of your CA *** </Pattern>
	      </DistinguishedNameDefinition>
	    </DistinguishedName>
		</CertificateMatch>
	</ClientInitialization>
	
	<ServerList>
...
	</ServerList>

</AnyConnectProfile>

rhamersley

Philip! Thank you So much for this information. Yes I do not want to prompt the user for anything. We had another CERT AUTHENTICATION failure today.

If I could quickly confirm with you. The CERTIFICATE(.PEM File) I have uploaded into the Meraki Dashboard here.

Since this is the first time updating our XML profile could you confirm the setting.

Open XML Profile editor...

Gone to Certificate Pinning

Imported my certificate here

Is that correct?

rhamersley

Looks like "Pinning" the Cert to the XML file does not work. Received this error message while testing.

rhamersley

Philip....What do you mean "Any bit of the text from the name of your CA ***???

rhamersley

This is what I currently have...the name of our certificate issuer.

rhamersley

It WORKED PHILIP!!!

I do have a question how do we know it is actually reading the CERT from the workstation? We have the CERT authentication enabled in the Meraki Dashboard but is there anyway we can confirm its still reading the CERT?

Below is my configuration that I was able to successfully VPN into our network with the CERT authentication option enabled in the Meraki Dashboard.

PhilipDAth

Well done!

Meraki Community

Meraki AnyConnect Certificate Validation Error

Meraki AnyConnect Certificate Validation Error