Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2914
Views
20
Helpful
8
Replies

AnyConnect automatic certificate selection

Go to solution
NickBecirovic66634
Level 1
Level 1

‎09-23-2022 11:42 AM

Recently I deployed certificate auth for our remote VPN clients and it works for the most part, but for Win users that have multiple Personal certificates AnyConnect has no way of selecting correct machine cert that is coming from our CA so I had to build a bypass for those users to just use AD cred / MFA.

Does anyone know if there is a way to specify AnyConnect to use specific cert for authentication based on CA or CN, OU...

I tried contacting TAC with no help and our Cisco rep as well.

1 Accepted Solution

Accepted Solutions

Go to solution
stsargen
Cisco Employee
Cisco Employee
In response to NickBecirovic66634

‎09-26-2022 06:38 AM

I am not in TAC, but I would suggest you open a new case and get details as to why they say this will not work.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
stsargen
Cisco Employee
Cisco Employee

‎09-23-2022 12:51 PM - edited ‎09-23-2022 12:51 PM

AnyConnect can use several different factors for selecting the certificate to be used.  Have you looked at the VPN profile "Certificate Matching" section?

stsargen_0-1663962637550.png

 

Go to solution
NickBecirovic66634
Level 1
Level 1
In response to stsargen

‎09-23-2022 01:30 PM

I've had TAC opened in regards to this but they told me that this won't serve my function.  Is there more detailed guide that explains function of Certificate Matching and how it works?

Go to solution
stsargen
Cisco Employee
Cisco Employee
In response to NickBecirovic66634

‎09-23-2022 01:42 PM

Th AnyConnect admin guide has details on the certificate matching criteria.

https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect410/administration/guide/b-anyconnect-admin-guide-4-10/configure_vpn.html?bookSearch=true#ID-1428-000005e1

If TAC said it would not resolve your issue, we would need more details as to why it would not work and the configuration you are tying to use.

 

0 Helpful

Go to solution
NickBecirovic66634
Level 1
Level 1
In response to stsargen

‎09-23-2022 02:07 PM

I asked them same exact question that I posted here and they told me that Certificate Matching wouldn't work.  Case number:  694091196.  

So you're saying that Certificate Matching will work for what I need?

Go to solution
stsargen
Cisco Employee
Cisco Employee
In response to NickBecirovic66634

‎09-26-2022 05:13 AM

I don't know the exact scenario or configuration (certs etc) that you have installed so I can't say, but normally this is the solution when you want to narrow down the certs to be used.  If you can't find unique criteria to use for the single cert then you might end up with multiple matching.  Have you tried it?

0 Helpful

Go to solution
NickBecirovic66634
Level 1
Level 1
In response to stsargen

‎09-26-2022 06:21 AM

If I open TAC are you able to help?

0 Helpful

Go to solution
stsargen
Cisco Employee
Cisco Employee
In response to NickBecirovic66634

‎09-26-2022 06:38 AM

I am not in TAC, but I would suggest you open a new case and get details as to why they say this will not work.

0 Helpful

Go to solution
NickBecirovic66634
Level 1
Level 1
In response to stsargen

‎09-26-2022 12:01 PM

Yea I'll try again, thanks for your input.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents