04-29-2021 05:57 AM
Hi,
Recently through GPU installed MS teams certificate on all Desktop machines,
Now two Certificates are popping up on Desktop machines causing a hindrance.
Wired connection is autostartup on Anyconnect supplicant and then its giving a choice of two certificates.
We want to just automatically set the one with domain certificate to take effect - Trying to amend the configuration.xml file result in renaming it to configuration_bad and result not working.
Where we need to take care of this configuration we tried to edit the any connect xml but not helped.
Any changes or configuration needed from ISE to set the same.
Attached the popup message, The AnyConnect asking the user to choose the certificates in the list to connect
Regards,
AK
04-29-2021 06:48 AM
You can configure certificate matching using the NAM profile editor, which can be downloaded here:
Software Download - Cisco Systems
Open up the AnyConnect NAM profile editor, then open configuration.xml. Not sure what protocol you are using, but see the 'Credentials' tab & reference 'Certificate Matching Rule' section. Then identify a unique attribute that differentiates between the two certs. HTH!
04-29-2021 07:11 AM
04-29-2021 08:16 AM
Are you referencing a unique identifier that is not found on both certs? Double check to ensure that you are using the right criteria, by this I mean if you are using contains, then you can use a modified string to match. If using EQUALS then you have to have the exact attribute.
04-30-2021 03:13 AM
Mike, Can you suggest some exact example. We have tried to select the Issuer CN and mention the domain then selected 'matches' option but that not worked.
04-30-2021 11:31 AM
Without knowing what the attributes are for each cert exactly I can't really point out an example that would relate to your case. Also, I am not really sure I am following your 'matches' comment as the two options for certificate matching in the NAM profile editor are:
'Equals' or 'Includes'
Make sure that the CN mentioning the domain is not also a part of the other cert's CN.
05-02-2021 07:29 PM
The AnyConnect Admin Guide has some details --
If it not working for you, best to engage Cisco TAC for help.
Note this known issue -- CSCvr54037 NAM PE not Saving user Defined EKU for Cert Matching Rule-Machine EAP-TLS
05-06-2021 03:09 AM
Hi,
We just upgraded the cisco Any connect mobility client to 4.9 and now this started working as per the attributes specified under credientials tab.
CSCvr54037 - This bug specifies issue with 4.7 version may be the issue resides on the NAM editor and Any connect version
Thanks for your Help ..
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide