https://community.cisco.com/t5/vpn/anyconnect-ssl-vpn/m-p/3715430#M146753 <P>Hi guys,</P> <P>My VPN is using cert based authentication but we just found out that even non-corporate devices can still connect to the VPN by not checking the "Block Untrusted Servers" in the AnyConnect settings. Is it possible to block those non-corporate devices to connect to the VPN by using certificate alone?</P> <P>&nbsp;</P> <P>Is it possible to block those 3rd party certificate right away?</P> <P>&nbsp;</P> <P>Thanks</P> Sat, 22 Feb 2020 05:28:24 GMT fatalXerror 2020-02-22T05:28:24Z https://community.cisco.com/t5/vpn/anyconnect-ssl-vpn/m-p/3715430#M146753 <P>Hi guys,</P> <P>My VPN is using cert based authentication but we just found out that even non-corporate devices can still connect to the VPN by not checking the "Block Untrusted Servers" in the AnyConnect settings. Is it possible to block those non-corporate devices to connect to the VPN by using certificate alone?</P> <P>&nbsp;</P> <P>Is it possible to block those 3rd party certificate right away?</P> <P>&nbsp;</P> <P>Thanks</P> Sat, 22 Feb 2020 05:28:24 GMT https://community.cisco.com/t5/vpn/anyconnect-ssl-vpn/m-p/3715430#M146753 fatalXerror 2020-02-22T05:28:24Z https://community.cisco.com/t5/vpn/anyconnect-ssl-vpn/m-p/3715442#M146754 <P>I think you are mixing up the certificate on the server (which is what the check box you mentioned covers) vs. a certificate on the clients.</P> <P>&nbsp;</P> <P>Certificate-based client authentication requires the actual certificate and private key to be present on the client. While it's possible (in most cases) to copy the client certificate to another device it's much more involved than unchecking a checkbox.</P> <P>&nbsp;</P> <P>Confirm your authentication type via the command:</P> <P>&nbsp;</P> <P>&nbsp; &nbsp; &nbsp;show run tunnel-group</P> <P>&nbsp;</P> <P>The output should include a subcommand indicating the type of authentication being used.</P> Sat, 29 Sep 2018 07:14:27 GMT https://community.cisco.com/t5/vpn/anyconnect-ssl-vpn/m-p/3715442#M146754 Marvin Rhoads 2018-09-29T07:14:27Z https://community.cisco.com/t5/vpn/anyconnect-ssl-vpn/m-p/3715444#M146755 <P>Yes, this is possible, But depends on how you configured, check the below configuration to help you.</P> <P>&nbsp;</P> <P><A href="https://community.cisco.com/t5/security-blogs/anyconnect-certificate-based-authentication/ba-p/3105546" target="_blank">https://community.cisco.com/t5/security-blogs/anyconnect-certificate-based-authentication/ba-p/3105546</A></P> <P>&nbsp;</P> <P>How is the certificate installed to devices, is this pre-defined certificate as part of build ?</P> Sat, 29 Sep 2018 07:21:48 GMT https://community.cisco.com/t5/vpn/anyconnect-ssl-vpn/m-p/3715444#M146755 balaji.bandi 2018-09-29T07:21:48Z