Meraki

jasonbrown23 · ‎Aug 5 2024

Hello,

I'm having some trouble getting my macOS laptops to connect to our AnyConnect VPN (secure client 5.1.4.74) on a MX250, and I'm hoping someone here might have some insights.

Both my Windows and macOS devices use a certificate pushed via Workspace One to join Wi-Fi. I took the root certificate from that setup and uploaded it to the Meraki MX and enabled Certificate Authentication. My Windows laptops can join the VPN without any issues, but my Mac laptops show the error "No valid certificates available for authentication" and then "Certificate validation failure."

I've checked that the certificate is included in the system keychain on the Macs and manually marked it as trusted. The certificate has the necessary usage attributes, like digital signature and client authentication, just like the ones on the Windows machines. I also tried creating a profile that matches on the issuing CA, thinking that would help it pick the correct cert and to also look in the Systems store, which works fine on Windows but not on macOS.

I'm at a bit of a loss for what to try next. Does anyone have suggestions on what else I should look for or any steps I might be missing?

GIdenJoe · ‎Aug 5 2024

The CA cert you uploaded is for your client authentication right?
What are you using as Cert for the Anyconnect session itself?

If you let dashboard manage the cert you have to connect using the dynamic-m url instead of the public IP.

The client authentication cert is separate from the Anyconnect server certificate.

jasonbrown23 · ‎Aug 5 2024

so this is only for the Certificate authentication. the secure connection between the mx and anyconnect is useing the dynamic DNS hostname and the auto-generated server cert. and if i remove the cert Certificate authentication requirement the macs can join no prob

PhilipDAth · ‎Aug 5 2024

I don't know the answer. I'll take a punt it is where the certificate is 'stored' on the Mac, and that probably it is in a place that AnyConnect does not have access to.

I have seen a number of posts about using the below VPN profile entry - perhaps try searching around this:
<ExcludeMacNativeCertStore>true</ExcludeMacNativeCertStore>

BlakeRichardson · ‎Aug 5 2024

What happens if you try adding the certificate to the users certificates and not the system certificates?

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

jasonbrown23 · ‎Aug 6 2024

I got it sorted and wanted to say thanks for your support. The issue came down to the Mac Wi-Fi certificate setup. Initially, the profile pushed to the Macs was missing the intermediate and root certificates, and simply setting the device cert to "Always Trust" did not work as expected.

After uploading both the intermediate and root certificates, the device certificate was successfully trusted, and AnyConnect was able to recognize and use it correctly.
now i just need to work with the WorkSpace one guys to create a new profile that we can push out to get everyone these certs! thanks

BlakeRichardson · ‎Aug 6 2024

Thanks for sharing the solution.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

Meraki

Community

macOS "No Valid Certificates Available for Authentication" on AnyConnect VPN

macOS "No Valid Certificates Available for Authentication" on AnyConnect VPN