Receiving certificate error messages periodically for our VPN authentication

rhamersley
Getting noticed

Receiving certificate error messages periodically for our VPN authentication

In our environments we have AnyConnect VPN authentication and use Certificate Authentication and periodically only a few users will receive certificate error messages and other users will not receive a certificate error message.    Why only a few users would receive this certificate error message.   All users have the same setting.   Is it because when the VPN authorization is in process that user is unable to get the cert authentication from the Meraki dashboard?

 

 

If we go into the Meraki dashboard and "Disable" the certificate authentication mode those handful users that received the cert error will be able to successfully VPN into the network.   If I go into the dashboard and re-enable the certificate authentication mode the next day the users that received the certificate error message are now successfully VPN'ing into the network.    Anyone has experienced this behavior in your environments using certificate authentication mode with Anyconnect?

4 Replies 4
alemabrahao
Kind of a big deal
Kind of a big deal

I suggest you open a support case with Meraki.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
PhilipDAth
Kind of a big deal
Kind of a big deal

The most common cause I have seen for this is when a machine has multiple certificates, and AnyConnect is not sure which one to present.  If it presents the wrong one - you'll get a certificate authentication issue.  The issue can appear random depending on which certificate gets selected.

 

If this is your issue, you'll need to configure certificate selection (such as based on the issuer) in the profile (which you can do using the profile editor).

https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect410/administration/gu...

 

rhamersley
Getting noticed

Philip this is the cause for our environment.  Will I be able to configure the XML profile to chose the correct certificate to use each time.   or will the user be prompted to select the correct certificate during the VPN authentication process?   

PhilipDAth
Kind of a big deal
Kind of a big deal

Usually, matching on the issuer of the certificate (such as matching on your CA) is sufficient for the correct certificate to be selected.  No user involvement should be required.

Get notified when there are additional replies to this discussion.