Cisco Adaptive Security Appliance Software Version 9.1(4); Device Manager Version 7.1(5)100; anyconnect-win-3.1.05152-k9.pkg
Hello, I am trying to implement Certificate Matching for certain client profiles. However 'certificate matching' does not seem to work- another certificate is always selected instead for Anyconnect SSL VPN authentication.
For example the client has two client-certificates installed: masin2 and masin3. I have configured the client-profile certificate-matching to use masin2 for authentication, but Anyconnect still chooses masin3 instead.
The client-profile looks like this:
<DistinguishedNameDefinition Operator="Equal" Wildcard="Disabled" MatchCase="Disabled">
Any suggestions/ideas? thanks for any input,
Solved! Go to Solution.
Try enabling the wildcard and see if it works. I'd also get rid of the keyusage and extendedkey usage just to see if it works with just the cn check and then add back as needed.
enabling wildcard did not help. also tried disabling/enabling automatic certificate selection- no luck.
I have also tried with and without different keyusage and extendedkeyusage- no difference.
The Client Profile is correctly updated on the client PC every time a change in made, but it seems like Anyconnect is not evaluating the Certificate Matching fields at all. And it seems like the problem is only with the CertificateMatch fields, because other fields are used as configured (for example: certificatestore, retainvpnonlogoff, usestartbeforelogon and so on).
I even upgraded Anyconnect to the latest version 3.1.05160 and still- anyconnect completely ignores certificatematch configuration in client-profile.
Can you share the tunnel-group-map configuration in which you enable the rules and tell the ASA to match a certificate map?
(Reference this configuration guide section.)
isnt that IPsec specific?
Im using SSL VPN and as far as i know, the client-side certificate matching happens locally on the client PC not on ASA. I need the client-PC to choose one of many certificates from the "current user" certificate store.
You must include the ASA in the VPN profile’s server list in order for the client GUI to display all user controllable settings on the first connection. If you do not add the ASA address or FQDN as a host entry in the profile, then filters do not apply for the session. For example, if you create a certificate match and the certificate properly matches the criteria, but you do not add the ASA as a host entry in that profile, the certificate match is ignored.