cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
14779
Views
15
Helpful
7
Replies

Anyconnect VPN Certificate-matching not working

heiki saaver
Level 1
Level 1

Cisco Adaptive Security Appliance Software Version 9.1(4); Device Manager Version 7.1(5)100; anyconnect-win-3.1.05152-k9.pkg

 

Hello, I am trying to implement Certificate Matching for certain client profiles. However 'certificate matching' does not seem to work- another certificate is always selected instead for Anyconnect SSL VPN authentication.

For example the client has two client-certificates installed: masin2 and masin3. I have configured the client-profile certificate-matching to use masin2 for authentication, but Anyconnect still chooses masin3 instead.

The client-profile looks like this:

<CertificateMatch>
            <KeyUsage>
                <MatchKey>Key_Encipherment</MatchKey>
                <MatchKey>Digital_Signature</MatchKey>
            </KeyUsage>
            <ExtendedKeyUsage>
                <ExtendedMatchKey>ClientAuth</ExtendedMatchKey>
            </ExtendedKeyUsage>
            <DistinguishedName>
                <DistinguishedNameDefinition Operator="Equal" Wildcard="Disabled" MatchCase="Disabled">
                    <Name>CN</Name>
                    <Pattern>masin2</Pattern>
                </DistinguishedNameDefinition>
            </DistinguishedName>
        </CertificateMatch>

 

Any suggestions/ideas? thanks for any input,

heiki.

1 Accepted Solution

Accepted Solutions

heiki saaver
Level 1
Level 1

Issue was solved. I had to include the ASA name/IP entry in the Client-Profile's serverlist.

For example:

Host Display Name (required): myASAname
FQDN or IP address: myASAname

With that configured the certificate matching works as needed.

View solution in original post

7 Replies 7

bravotom99
Level 1
Level 1

Try enabling the wildcard and see if it works.  I'd also get rid of the keyusage and extendedkey usage just to see if it works with just the cn check and then add back as needed.

enabling wildcard did not help. also tried disabling/enabling automatic certificate selection- no luck.

I have also tried with and without different keyusage and extendedkeyusage- no difference.

The Client Profile is correctly updated on the client PC every time a change in made, but it seems like Anyconnect is not evaluating the Certificate Matching fields at all. And it seems like the problem is only with the CertificateMatch fields, because other fields are used as configured (for example: certificatestore, retainvpnonlogoff, usestartbeforelogon and so on).

I even upgraded Anyconnect to the latest version 3.1.05160 and still- anyconnect completely ignores certificatematch configuration in client-profile.

Can you share the tunnel-group-map configuration in which you enable the rules and tell the ASA to match a certificate map?

(Reference this configuration guide section.)

isnt that IPsec specific?

Im using SSL VPN and as far as i know, the client-side certificate matching happens locally on the client PC not on ASA. I need the client-PC to choose one of many certificates from the "current user" certificate store.

heiki saaver
Level 1
Level 1

Issue was solved. I had to include the ASA name/IP entry in the Client-Profile's serverlist.

For example:

Host Display Name (required): myASAname
FQDN or IP address: myASAname

With that configured the certificate matching works as needed.

Thanks for sharing the solution!

https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect40/administration/guide/b_AnyConnect_Administrator_Guide_4-0/anyconnect-profile-editor.html

 

You must include the ASA in the VPN profile’s server list in order for the client GUI to display all user controllable settings on the first connection. If you do not add the ASA address or FQDN as a host entry in the profile, then filters do not apply for the session. For example, if you create a certificate match and the certificate properly matches the criteria, but you do not add the ASA as a host entry in that profile, the certificate match is ignored.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: