07-01-2019 04:50 AM - edited 02-21-2020 09:41 PM
Looking for confirmation if the Certificate to Connection Profile Maps criteria is based on "OR" or "AND" functions.
crypto ca certificate map CertMap_Fnct10 10
subject-name attr cn co laptop
subject-name attr cn co desktop
For example the matching criteria is looking for presence (contains) "laptop" OR "desktop" in the certificate CN in this example or is this an "AND" function for criteria matching.
Solved! Go to Solution.
07-01-2019 09:16 AM
Hi,
The criteria is AND, in your example this would fail to match (assuming the certificate has either laptop or desktop value in the subject-alt name and not both). You can just define additional rule priorities on the certificate map, when a connection is made if it does not match the first entry it will move to the next until it either matches or fails.
crypto ca certificate map CertMap_Fnct10 10
subject-name attr cn co laptop
crypto ca certificate map CertMap_Fnct10 20
subject-name attr cn co desktop
The WebVPN configuration would map the tunnel as required
webvpn
certificate-group-map CERT_MAP 10 TG-2
certificate-group-map CERT_MAP 20 TG-3
HTH
07-01-2019 09:16 AM
Hi,
The criteria is AND, in your example this would fail to match (assuming the certificate has either laptop or desktop value in the subject-alt name and not both). You can just define additional rule priorities on the certificate map, when a connection is made if it does not match the first entry it will move to the next until it either matches or fails.
crypto ca certificate map CertMap_Fnct10 10
subject-name attr cn co laptop
crypto ca certificate map CertMap_Fnct10 20
subject-name attr cn co desktop
The WebVPN configuration would map the tunnel as required
webvpn
certificate-group-map CERT_MAP 10 TG-2
certificate-group-map CERT_MAP 20 TG-3
HTH
07-02-2019 12:28 AM
Thanks, we implemented the same change yesterday.
Just needed confirmation this was an AND function.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: