I am doing a proof of concept with anyconnect and certificate authentication. with 3.0 i was able to do this with a certificate from my CA and a client cert in a smartcard. I have upgraded to 3.1 and now it doesnt work anymore ( i need 3.1 and Asa 9.0 because of IPv6 Split-tunneling).
Reading the forum i got some info that the ASA cert must have a EKU value of 'Server Authentication' and the client cert must have a similar EKU (client Auth)
Is this mandatory or is there a way around this?
Just to add to this.
Anyconnect 3.1 started KU enforcement, but typically it will drop a warning you can accept (annoying but not blocking).
EKU, is something that for the time being ASA will not enforce, plus it's only needed to IKEv2/IPsec, AFAIR SSL will work without it unless there have been big changes I'm not aware of.
One can also argue EKU enforcement will not be strictly speaking enforced in future of IKEv2.
Are you sure the enforcement is not mandatory?
Something is happening in the client side for sure.
I have a Asa running 9.0, with anyconnect 3.0 i can authenticate with a smartcard certificate, with 3.1 it doesnt work.
It authenticates (at least thats what i see in the Asa logs) but then the client just disconnects ...
PS - I am using self signed cert for the asa trustpoint. With AAA authentication it works.
PS2 - I am getting lots of "CAPICERTUTILS_ERROR_*" on the anyconnect log
I have tried some of the workarounds (EKU on certificates, CN matching on .xml) to no avail.
I will post this info so it can help anyone with the same problem.
After some weeks with a case opened on TAC (and lots of debug) the solution was to upgrade to the newest version of anyconnect (3.1.2040, released on 28 January 2013 ).