Meraki MX Client VPN AnyConnect settings for Certificate-based authentication + Username & password

Tor_in_Bergen
Here to help

Meraki MX Client VPN AnyConnect settings for Certificate-based authentication + Username & password

We are setting up AD authentication in the MX AnyConnect setting -its working fine until we enabled a certificate.

The AnyConnect server on the MX supports client certificate authentication as a factor of authentication. If certificate authentication is enabled, the AnyConnect server will use the uploaded trusted CA certificate to validate authenticating clients before requesting for the users' credentials.

We have a Windows CA in Enterprise mode, should we just export the Root certificate in PEM format, from Windows a file named .cer in Base64 format??
Manual says; With certificate authentication, the administrator uploads a .pem or .crt file of the issuing CA certificate to the MX.                                                                                                                                                        ,

Since we have our own CA we autoenroll a Workstation template based certificate to the end user's device.

 

It's not working as we hoped - Any ideas?

7 Replies 7
PhilipDAth
Kind of a big deal
Kind of a big deal

Have you configured AnyConnect to present a certificate from the machine store instead of the user store?

Hi Philip,

We have found very little info about the cryptography in this matter, is it client auth in the process or not? We have used a workstation certificate template, not sure that’s the right one

We have rolled out all the client certificates to the local machine store.

When we uploaded our root certificate we expected AnyConnct to accept any client certificates issued to the local machine by our CA.

Can you elaborate on what you mean here, how do we change crypto settings on the Anyconnect server on MX?

AlexP
Meraki Employee
Meraki Employee

Since we have our own CA we autoenroll a Workstation template based certificate to the end user's device.

If that CA is the one signing those client certificates, the assumption is that it also has a self-signed certificate to provide the root of the chain of trust defined in those client certs.

 

If that is the case, that self-signed root is what needs to be on the MX to validate the certs the clients are presenting when they log in.

Hi Alex,

 

We have taken out the Root CA certificate as .cer  (with BASE64 format)and uploaded it with the «Browse» button. Says «uploaded» but we are not sure it’s accepted.

When we roll out a certificate to the client we  taught it would be sufficient with a client certificate from the same issuer as specified in the root cert. The subject/owner is the client itself so it’s different from the root Ca cert.

From a cryptography perspective we  just want the AnyConnect server on the MX to accept all client certificates from the same  issuer (our own CA)

The Secure Client is able to see the client certificate but will not accept it, seems like our root CA cert is not accepted, there are some requirements we not fulfill for sure but wich...?

 

 

Hey Tor,

I would suggest opening a Support case about this, and providing them with a DART bundle taken after a failed connection attempt, with the timestamp (and time zone) of the failed attempt noted. We should be able to get a more detailed reason as to why the request is still failing from there.

The DART bundle is nice stuff!

 

From the Anyconnect log in the bundle (from Cisco Secure Client) it’s looks like I do not have a VPN Profile.

Therby

If no certificate matching criteria is specified, Cisco Secure Client applies the following certificate matching rules:

  • Key Usage: Digital_Signature
  • Extended Key Usage: Client Auth

 

Should like to know if this message means that the CA root cert is okey;

 

"Description : Function: CTransportCurlStatic::PeerCertVerifyCB
File: C:\temp\build\thehoff\Quicksilver_MR20.384855878117\Quicksilver_MR2\vpn\Api\CTransportCurlStatic.cpp
Line: 1062
Return success from VerifyServerCertificate"

 

AND

is it actually possible to change the crypto dialog by changing the clients XML by using Cisco Secure Client Profile Editor?  Seems like in the Certificate Matching module..?

 

Open a support case in this matter yes..

Tor_in_Bergen
Here to help

Got links from Support describing requirements for the certificates and have now set up a test with self-signed certificates. Seeing that things work if the certificate has the correct setup. This is anyway client authentication so the client needs private keys, remember to use a template that has client authorization as its use.
 
Get notified when there are additional replies to this discussion.