Hello Everyone,

Tossing this up here to see what folks thoughts are. First to state the issue.

We have devices with 2 certificates used with the same purpose  (authentication) One cert is issued to the user, the other is issued to the device. The Device certificate has an extended property to use it for authentication. We use Cisco AnyConnect and basically when it requests a certificate it often requests the DEVICE issued cert first - which will not work for authenticating on our VPN. We work with a large userbase where this was apparently not considered but is proving to be a problem as users are not selecting the correct certificate and experiencing issues authenticating.

My goals

• A solution that would remove the machine issued certificate from the offered certificates when AnyConnect launches.
• A means to deploy this to 100+ machines

Part of the issue is that we cannot modify either actual certificate due to their issuer having particular requirements; as such I am trying to find a way to manipulate the way the software actually uses them instead. I am circling the idea that given that each cert is issued to a different identity (one is issued to the device, the other to the user) but I am unsure how to use that - I haven't messed with profile editor because to my understanding that is on a case by case basis and so configuring 100+ user profiles manually strikes me as a bad idea and will likely result in their being some slipping through the cracks. So I am hoping to solicit some enterprise aimed idea's

Any thoughts?