cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
478
Views
20
Helpful
8
Replies

AnyConnect automatic certificate selection

Recently I deployed certificate auth for our remote VPN clients and it works for the most part, but for Win users that have multiple Personal certificates AnyConnect has no way of selecting correct machine cert that is coming from our CA so I had to build a bypass for those users to just use AD cred / MFA.

Does anyone know if there is a way to specify AnyConnect to use specific cert for authentication based on CA or CN, OU...

I tried contacting TAC with no help and our Cisco rep as well.

1 Accepted Solution

Accepted Solutions

I am not in TAC, but I would suggest you open a new case and get details as to why they say this will not work.

View solution in original post

8 Replies 8

stsargen
Cisco Employee
Cisco Employee

AnyConnect can use several different factors for selecting the certificate to be used.  Have you looked at the VPN profile "Certificate Matching" section?

stsargen_0-1663962637550.png

 

I've had TAC opened in regards to this but they told me that this won't serve my function.  Is there more detailed guide that explains function of Certificate Matching and how it works?

Th AnyConnect admin guide has details on the certificate matching criteria.

https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect410/administration/guide/b-anyconnect-admin-guide-4-10/configure_vpn.html?bookSearch=true#ID-1428-000005e1

If TAC said it would not resolve your issue, we would need more details as to why it would not work and the configuration you are tying to use.

 

I asked them same exact question that I posted here and they told me that Certificate Matching wouldn't work.  Case number:  694091196.  

So you're saying that Certificate Matching will work for what I need?

I don't know the exact scenario or configuration (certs etc) that you have installed so I can't say, but normally this is the solution when you want to narrow down the certs to be used.  If you can't find unique criteria to use for the single cert then you might end up with multiple matching.  Have you tried it?

If I open TAC are you able to help?

I am not in TAC, but I would suggest you open a new case and get details as to why they say this will not work.

Yea I'll try again, thanks for your input.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: