Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1103
Views
0
Helpful
2
Replies

Cisco AnyConnect - Tunnel Group Match Criteria using Certificates (OR or AND function)

Go to solution
KatoNakatomi
Level 1
Level 1

‎07-01-2019 04:50 AM - edited ‎02-21-2020 09:41 PM

Looking for confirmation if the Certificate to Connection Profile Maps criteria is based on "OR" or "AND" functions.

 

crypto ca certificate map CertMap_Fnct10 10
subject-name attr cn co laptop
subject-name attr cn co desktop

 

For example the matching criteria is looking for presence (contains) "laptop" OR "desktop" in the certificate CN in this example or is this an "AND" function for criteria matching.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎07-01-2019 09:16 AM

Hi,
The criteria is AND, in your example this would fail to match (assuming the certificate has either laptop or desktop value in the subject-alt name and not both). You can just define additional rule priorities on the certificate map, when a connection is made if it does not match the first entry it will move to the next until it either matches or fails.

 

crypto ca certificate map CertMap_Fnct10 10
 subject-name attr cn co laptop
crypto ca certificate map CertMap_Fnct10 20
 subject-name attr cn co desktop

The WebVPN configuration would map the tunnel as required

 

webvpn
 certificate-group-map CERT_MAP 10 TG-2
 certificate-group-map CERT_MAP 20 TG-3

 

HTH

 

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Rob Ingram
VIP
VIP

‎07-01-2019 09:16 AM

Hi,
The criteria is AND, in your example this would fail to match (assuming the certificate has either laptop or desktop value in the subject-alt name and not both). You can just define additional rule priorities on the certificate map, when a connection is made if it does not match the first entry it will move to the next until it either matches or fails.

 

crypto ca certificate map CertMap_Fnct10 10
 subject-name attr cn co laptop
crypto ca certificate map CertMap_Fnct10 20
 subject-name attr cn co desktop

The WebVPN configuration would map the tunnel as required

 

webvpn
 certificate-group-map CERT_MAP 10 TG-2
 certificate-group-map CERT_MAP 20 TG-3

 

HTH

 

0 Helpful

Go to solution
KatoNakatomi
Level 1
Level 1
In response to Rob Ingram

‎07-02-2019 12:28 AM

Thanks, we implemented the same change yesterday.

Just needed confirmation this was an AND function.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents