Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6579
Views
0
Helpful
1
Replies

Certificate Validation Failure with AnyConnect only on MAC

sjhloco
Level 1
Level 1

‎04-03-2012 09:48 AM - edited ‎02-21-2020 05:59 PM

Hi,

I have an anyconnect account set up using version 3.0.5080 and connecting to an ASA 5510 base 8.2(2)17. We are using certificates for authentication. If I try and use the account on a windows machine it all works fine.

However on a mac running Lion if I try and connect via a web browser or already have the anyconnect client loaded and try to connect I always get “certificate Validation Failure”. I double checked the certificate was correct and am sure that is correct as it is the same certificate on the Windows and the mac. After searching online I have also tried editing the anyconnect profile to so it is set “certificate store override”, and put the certificates and key in the “user/.cisco/certificates” and  “/opt/.cisco/certificates” folders.

After further testing, if I change the anyconnect connection profile to “authentication aaa” I can connect fine. Then if I disconnect, change it back to “authentication certificate” I can connect fine the first time, but all the following subsequent efforts I make fail. If I repeat this process this happens each time, I can connect the first time but after that it fails with the same “certificate Validation Failure” error message. When it connects this first time I checked and confirmed that it is definitely using the certificate. I have also tried using both authentication methods (“authentication aaa certificate”) and had the same problem.

This leads me to believe that my configuration is correct and it is some bug in the anyconnect client or the ASA image. I have had a look through bugs and read somewhere that there was a bug on earlier versions of 8.4, but nothing about 8.2. Does anyone have any recommendations of anything else I can try to fix the problem.

Thanks

Stephen

Labels:
0 Helpful
1 Reply 1

sjhloco
Level 1
Level 1

‎04-03-2012 12:22 PM

I found a work around for this where if I import the certificate into firefox and connnect via that it works since firefox it has its own certificate store. So for each time you connect you got to the direct url link for your anyconnect, it will use the anyconnect client off the mac and connect using the cert in the browser. You can then close the browser, but if you disconnect the client the only way to reconnect is to use the browser again.

I guess this proves that safari or the anyconnect client is for some reason not seeing the certificate in the keychain. I still dont know why this is. May try updating to 8.4 to see if it fixes it.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents