Solved: ASA - AnyConnect - Want to terminate user based on certicate

kennethhandberg · ‎09-28-2021

Hello,

We are using AnyConnect AlwaysOn with certicate auth.
When PCs are stolen (it happens) - I would like to terminate the specific PC based on certicate name or PC name.

In the log, it looks like the PC-name comes in as Username

"Group <RemoteAccess-Cert-GrpPolicy> User <VK32851.domain.name>"

Can I just create a DAP where I terminate on Username?

Rob Ingram · ‎09-28-2021

@kennethhandberg

Ideally you'd revoke the certificate and get the ASA to check the CRL, which would then deny the connection.

Yes, DAP seems like a good alternative, match the username and terminate the connection.

View solution in original post

Rob Ingram · ‎09-28-2021

@kennethhandberg

Ideally you'd revoke the certificate and get the ASA to check the CRL, which would then deny the connection.

Yes, DAP seems like a good alternative, match the username and terminate the connection.

kennethhandberg · ‎09-30-2021

Hello Rob,

Thanks for answering.
I'm gonna use OCSP for validation instead of CRL