Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

macOS "No Valid Certificates Available for Authentication" on AnyConnect VPN

jasonbrown23
Here to help
a week ago
a week ago

macOS "No Valid Certificates Available for Authentication" on AnyConnect VPN

Hello,

I'm having some trouble getting my macOS laptops to connect to our AnyConnect VPN (secure client 5.1.4.74) on a MX250, and I'm hoping someone here might have some insights.

 

Both my Windows and macOS devices use a certificate pushed via Workspace One to join Wi-Fi. I took the root certificate from that setup and uploaded it to the Meraki MX and enabled Certificate Authentication. My Windows laptops can join the VPN without any issues, but my Mac laptops show the error "No valid certificates available for authentication" and then "Certificate validation failure."

I've checked that the certificate is included in the system keychain on the Macs and manually marked it as trusted. The certificate has the necessary usage attributes, like digital signature and client authentication, just like the ones on the Windows machines. I also tried creating a profile that matches on the issuing CA, thinking that would help it pick the correct cert and to also look in the Systems store, which works fine on Windows but not on macOS.

I'm at a bit of a loss for what to try next. Does anyone have suggestions on what else I should look for or any steps I might be missing?

Labels:
0 Kudos
Subscribe
6 Replies 6
GIdenJoe
Kind of a big deal
Kind of a big deal
a week ago
a week ago

The CA cert you uploaded is for your client authentication right?
What are you using as Cert for the Anyconnect session itself?

If you let dashboard manage the cert you have to connect using the dynamic-m url instead of the public IP.

The client authentication cert is separate from the Anyconnect server certificate.

0 Kudos
Subscribe
In response to GIdenJoe
jasonbrown23
Here to help
a week ago
a week ago

so this is only for the Certificate authentication. the secure connection between the mx and anyconnect is useing the dynamic DNS hostname and the auto-generated server cert. and if i remove the cert Certificate authentication requirement the macs can join no prob

 

0 Kudos
Subscribe
PhilipDAth
Kind of a big deal
Kind of a big deal
a week ago
a week ago

I don't know the answer.  I'll take a punt it is where the certificate is 'stored' on the Mac, and that probably it is in a place that AnyConnect does not have access to.

 

I have seen a number of posts about using the below VPN profile entry - perhaps try searching around this:
<ExcludeMacNativeCertStore>true</ExcludeMacNativeCertStore>

Subscribe
BlakeRichardson
Kind of a big deal
Kind of a big deal
a week ago
a week ago

What happens if you try adding the certificate to the users certificates and not the system certificates? 

btr.net.nz
Subscribe
jasonbrown23
Here to help
a week ago
a week ago

I got it sorted and wanted to say thanks for your support. The issue came down to the Mac Wi-Fi certificate setup. Initially, the profile pushed to the Macs was missing the intermediate and root certificates, and simply setting the device cert to "Always Trust" did not work as expected.

After uploading both the intermediate and root certificates, the device certificate was successfully trusted, and AnyConnect was able to recognize and use it correctly.
now i just need to work with the WorkSpace one guys to create a new profile that we can push out to get everyone these certs! thanks  

Subscribe
In response to jasonbrown23
BlakeRichardson
Kind of a big deal
Kind of a big deal
a week ago
a week ago

Thanks for sharing the solution.

btr.net.nz
0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.