cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4425
Views
5
Helpful
7
Replies

Certificate Select Pop up - Anyconnect

AK002
Level 1
Level 1

Hi,

 

Recently through GPU installed MS teams certificate on all Desktop machines,

Now two Certificates are popping up on Desktop machines causing a hindrance.

Wired connection is autostartup on Anyconnect supplicant and then its  giving a choice of two certificates.

 

We want to just automatically set the one with domain certificate to take effect  - Trying to amend the configuration.xml file result in renaming it to configuration_bad and result not working. 

 

Where we need to take care of this configuration we tried to edit the any connect xml but not helped. 

 

Any changes or configuration needed from ISE to set the same. 

 

Attached the popup message, The AnyConnect asking the user to choose the certificates in the list to connect 

 

Regards,

AK

7 Replies 7

Mike.Cifelli
VIP Alumni
VIP Alumni

You can configure certificate matching using the NAM profile editor, which can be downloaded here:

Software Download - Cisco Systems

Open up the AnyConnect NAM profile editor, then open configuration.xml.  Not sure what protocol you are using, but see the 'Credentials' tab & reference 'Certificate Matching Rule' section.  Then identify a unique attribute that differentiates between the two certs.  HTH!

Mike, I think exactly what we have tried chooses the 'Use certificate matching' and tried to select issuer.CN and gave .xx.aaa.com, But when we tried that same message happening again. PFA 

Mike.Cifelli
VIP Alumni
VIP Alumni

Are you referencing a unique identifier that is not found on both certs? Double check to ensure that you are using the right criteria, by this I mean if you are using contains, then you can use a modified string to match.  If using EQUALS then you have to have the exact attribute.

Mike, Can you suggest some exact example. We have tried to select the Issuer CN and mention the domain then selected 'matches' option but that not worked. 

Mike.Cifelli
VIP Alumni
VIP Alumni

Without knowing what the attributes are for each cert exactly I can't really point out an example that would relate to your case.  Also, I am not really sure I am following your 'matches' comment as the two options for certificate matching in the NAM profile editor are:

'Equals' or 'Includes'

Make sure that the CN mentioning the domain is not also a part of the other cert's CN.  

hslai
Cisco Employee
Cisco Employee

The AnyConnect Admin Guide has some details -- 

If it not working for you, best to engage Cisco TAC for help.

Note this known issue -- CSCvr54037 NAM PE not Saving user Defined EKU for Cert Matching Rule-Machine EAP-TLS

 

Hi, 

 

We just upgraded the cisco Any connect mobility client to 4.9 and now this started working as per the attributes specified under credientials tab.  

 

CSCvr54037 - This bug specifies issue with 4.7 version may be the issue resides on the NAM editor and Any connect version 

 

Thanks for your Help ..