rhamersley
Getting noticed
Monday
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Monday
Meraki AnyConnect Certificate Validation Error
In our environment we have certificate validation authentication enabled. We have random users receiving "Certificate Validation Error" messages about once a week in our environment. We have about 75 users VPN into our network and why would a random user receive this error message. If one user cannot authenticate using the cert wouldn't if affect all users trying to VPN into our network?
0Kudos
Subscribe
- All forum topics
- Previous Topic
- Next Topic
13 Replies 13
alemabrahao
Kind of a big deal
Monday
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Monday
Open a support case. They will assist you.
I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.
Please, if this post was useful, leave your kudos and mark it as solved.
0Kudos
Subscribe
alemabrahao
Kind of a big deal
Monday
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Monday
Also check these links.
AnyConnect Troubleshooting Guide - Cisco Meraki Documentation
https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance/Managing_and_Troublesh...
I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.
Please, if this post was useful, leave your kudos and mark it as solved.
0Kudos
Subscribe
rhamersley
Getting noticed
Monday
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Monday
I would like to see if this Certificate Authentication Error message has been encountered in other environments and what other users have done to fix this issue.
I know I could do the following:
* Disable the certificate authentication altogether and the user will successfully VPN into the network but that doesnt actually tell me why this only affected one user and not every user that has to perform the certificate authentication method.
User has rebooted device multiple times to see if it was a certificate service issue on the users laptop, but that was not the issue either.
0Kudos
Subscribe
In response to rhamersley
alemabrahao
Kind of a big deal
Monday
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Monday
Check the links I sent you, there you will find the troubleshooting steps.
I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.
Please, if this post was useful, leave your kudos and mark it as solved.
0Kudos
Subscribe
PhilipDAth
Kind of a big deal
Monday
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Monday
I have seen this when a client has multiple certificates installed, and AnYConnect is not sure which one to select.
You might need to create a profile with a certificate selection rule. I typically match on the issuing CA.
0Kudos
Subscribe
In response to PhilipDAth
rhamersley
Getting noticed
Tuesday
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Tuesday
Philip!...I like this idea....I do have one question will it automatically match the cert by updating the XML profile or will it show a cert as a pop up and the user will need to select the correct cert to complete the authentication.
0Kudos
Subscribe
In response to rhamersley
PhilipDAth
Kind of a big deal
Tuesday
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Tuesday
The user will get no prompts (they only get prompts if you disable automatic certificate selection).
Lucky for you, I had to do such a deployment yesterday. The important bit in the profile XML is:
<?xml version="1.0" encoding="UTF-8"?><AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/AnyConnectProfile.xsd"><ClientInitialization><CertificateMatch><KeyUsage> <MatchKey>Key_Encipherment</MatchKey> <MatchKey>Digital_Signature</MatchKey></KeyUsage> <ExtendedKeyUsage> <ExtendedMatchKey>ClientAuth</ExtendedMatchKey> </ExtendedKeyUsage> <DistinguishedName> <DistinguishedNameDefinition Operator="Equal" Wildcard="Disabled" MatchCase="Disabled"> <Name>ISSUER-CN</Name> <Pattern> *** any bit of the text from the name of your CA *** </Pattern> </DistinguishedNameDefinition> </DistinguishedName></CertificateMatch></ClientInitialization><ServerList>...</ServerList></AnyConnectProfile>
0Kudos
Subscribe
In response to PhilipDAth
rhamersley
Getting noticed
yesterday
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yesterday
Philip! Thank you So much for this information. Yes I do not want to prompt the user for anything. We had another CERT AUTHENTICATION failure today.
If I could quickly confirm with you. The CERTIFICATE(.PEM File) I have uploaded into the Meraki Dashboard here.
Since this is the first time updating our XML profile could you confirm the setting.
Open XML Profile editor...
Gone to Certificate Pinning
Imported my certificate here
Is that correct?
0Kudos
Subscribe
In response to rhamersley
rhamersley
Getting noticed
yesterday
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yesterday
Looks like "Pinning" the Cert to the XML file does not work. Received this error message while testing.
2Kudos
Subscribe
In response to rhamersley
rhamersley
Getting noticed
yesterday
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yesterday
Philip....What do you mean "Any bit of the text from the name of your CA ***???
0Kudos
Subscribe
In response to rhamersley
rhamersley
Getting noticed
yesterday
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yesterday
This is what I currently have...the name of our certificate issuer.
0Kudos
Subscribe
In response to PhilipDAth
rhamersley
Getting noticed
yesterday
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yesterday
It WORKED PHILIP!!!
I do have a question how do we know it is actually reading the CERT from the workstation? We have the CERT authentication enabled in the Meraki Dashboard but is there anyway we can confirm its still reading the CERT?
Below is my configuration that I was able to successfully VPN into our network with the CERT authentication option enabled in the Meraki Dashboard.
2Kudos
Subscribe
In response to rhamersley
PhilipDAth
Kind of a big deal
10 hours ago
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10 hours ago
Well done!
0Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Subscribe