Cisco AnyConnect, OS X and Firefox

When I started work at brightsolid one of the tasks given (or rather one of the tasks I gave myself) was to get the Cisco AnyConnect client working on OS X.

The symptoms are not very helpful in diagnosing the issue, the error you get will be something like “posture assessment failed”. Fortunately Cisco provide an excellent logging tool known as DART (Diagnostic and Reporting Tool). Looking through the DART bundle it was pretty clear that the firewall was rejecting the connection attempt due to a missing user certificate.

On Windows you just need a certificate (issued by a CA that the firewall trusts) installed to the users Personal certificate store.

On OS X adding the certificate to the keychain made no difference. I’m still not 100% sure why but I suspect Apple changed the way certificates worked between major releases and Cisco never got around to fixing it. I do plan to talk to Cisco about this issue at some point so I will post an answer once I have one.

The workaround, which I discovered by looking through the DART logs, was to add the user certificate to the certificate store in Firefox.

Further testing has revealed that it only works for Firefox 3.X anything newer and AnyConnect fails in the same way.

Currently then OS X users with AnyConnect version 2 or newer will need Firefox 3 installed too.

If anyone out there has any further information about this I’d love to learn more or get a permanent fix that doesn’t rely on old browsers!

EDIT: I’ve found that this may be a policy setting on the firewall, despite having been assured this has been checked you can force OSX clients to not check the Keychain for certificates. There may be a way to override this locally so I’ll be trying that first then will look at the firewall config again.