topic Re: Certificate Select Pop up - Anyconnect in Network Access Control

Certificate Select Pop up - Anyconnect

AK002 — Thu, 29 Apr 2021 12:57:54 GMT

Hi,

Recently through GPU installed MS teams certificate on all Desktop machines,

Now two Certificates are popping up on Desktop machines causing a hindrance.

Wired connection is autostartup on Anyconnect supplicant and then its giving a choice of two certificates.

We want to just automatically set the one with domain certificate to take effect - Trying to amend the configuration.xml file result in renaming it to configuration_bad and result not working.

Where we need to take care of this configuration we tried to edit the any connect xml but not helped.

Any changes or configuration needed from ISE to set the same.

Attached the popup message, The AnyConnect asking the user to choose the certificates in the list to connect

Regards,

Re: Certificate Select Pop up - Anyconnect

Mike.Cifelli — Thu, 29 Apr 2021 13:48:23 GMT

You can configure certificate matching using the NAM profile editor, which can be downloaded here:

Software Download - Cisco Systems

Open up the AnyConnect NAM profile editor, then open configuration.xml. Not sure what protocol you are using, but see the 'Credentials' tab & reference 'Certificate Matching Rule' section. Then identify a unique attribute that differentiates between the two certs. HTH!

Re: Certificate Select Pop up - Anyconnect

AK002 — Thu, 29 Apr 2021 14:11:44 GMT

Mike, I think exactly what we have tried chooses the 'Use certificate matching' and tried to select issuer.CN and gave .xx.aaa.com, But when we tried that same message happening again. PFA

Re: Certificate Select Pop up - Anyconnect

Mike.Cifelli — Thu, 29 Apr 2021 15:16:10 GMT

Are you referencing a unique identifier that is not found on both certs? Double check to ensure that you are using the right criteria, by this I mean if you are using contains, then you can use a modified string to match. If using EQUALS then you have to have the exact attribute.

Re: Certificate Select Pop up - Anyconnect

AK002 — Fri, 30 Apr 2021 10:13:35 GMT

Mike, Can you suggest some exact example. We have tried to select the Issuer CN and mention the domain then selected 'matches' option but that not worked.

Re: Certificate Select Pop up - Anyconnect

Mike.Cifelli — Fri, 30 Apr 2021 18:31:28 GMT

Without knowing what the attributes are for each cert exactly I can't really point out an example that would relate to your case. Also, I am not really sure I am following your 'matches' comment as the two options for certificate matching in the NAM profile editor are:

'Equals' or 'Includes'

Make sure that the CN mentioning the domain is not also a part of the other cert's CN.

Re: Certificate Select Pop up - Anyconnect

hslai — Mon, 03 May 2021 02:29:04 GMT

The AnyConnect Admin Guide has some details --

Set up Network Access Manager to Choose Correct Certificate

If it not working for you, best to engage Cisco TAC for help.

Note this known issue -- CSCvr54037 NAM PE not Saving user Defined EKU for Cert Matching Rule-Machine EAP-TLS

Re: Certificate Select Pop up - Anyconnect

AK002 — Thu, 06 May 2021 10:09:55 GMT

Hi,

We just upgraded the cisco Any connect mobility client to 4.9 and now this started working as per the attributes specified under credientials tab.

CSCvr54037 - This bug specifies issue with 4.7 version may be the issue resides on the NAM editor and Any connect version

Thanks for your Help ..