Client certificate enforcement not working on MC for IOS and MAC.

Description

Client Certificate Enforcement can be used by organizations to make sure that the end user can only connect to the VPN from the specific device which have the client certificate installed. Besides normal authentication which includes username and password, client software, on user machine, is subjected to present the client certificate to the VPN server to prove the authenticity. This will restrict users to connect from other devices which don't have the client certificate installed. Client certificate is verified against the root certificate installed on the VPN sever under CA certificate category.



Cause

When we have Client certificate added on the client side and Root certificate added on the SSL-VPN Server and we enable client certificate enforcement at the domain. It works well on each platform, except IOS and MAC when TLS 1.3 is enabled. The issue occurs with TLS 1.3  enabled on SSL-VPN Server. Reason being Client Certificate will not work on iOS/macOS due to the OS limitation using TLS1.3.

Resolution

Login to the administrative console of SMA.

1) Under System.

Image


2) Go to Administration.

3) Under Global SSL/TLS Settings, Uncheck TLS 1.3.

Image


NOTE:  Changing TLS settings will restart the web services and other associated services, hence cause the existing connections to drop. 


With these changes Certificate enforcement will work as expected on IOS and MAC using Mobile Connect.





Related Articles

  • SMA100 End of Support No-Charge Replacement FAQ
    Read More
  • SMA1000: Post upgrade to 12.5.0 on AWS and Azure, we show the error Could not retrieve the DNS settings once we log in to AMC/CMS console
    Read More
  • Firmware version required to upgrade to version 12.5.0.
    Read More

Categories

Secure Mobile Access
SMA 100 Series
Secure Mobile Access
Mobile Connect
iOS
Secure Mobile Access
Mobile Connect
Mac
not finding your answers?
Ask the Community