Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
6467
Views
20
Helpful
8
Replies

AnyConnect automatic certificate selection

Go to solution
NickBecirovic66634
Level 1
Level 1

‎09-23-2022 11:42 AM

Recently I deployed certificate auth for our remote VPN clients and it works for the most part, but for Win users that have multiple Personal certificates AnyConnect has no way of selecting correct machine cert that is coming from our CA so I had to build a bypass for those users to just use AD cred / MFA.

Does anyone know if there is a way to specify AnyConnect to use specific cert for authentication based on CA or CN, OU...

I tried contacting TAC with no help and our Cisco rep as well.

1 Accepted Solution

Accepted Solutions

Go to solution
stsargen
Cisco Employee
Cisco Employee
In response to NickBecirovic66634

‎09-26-2022 06:38 AM

I am not in TAC, but I would suggest you open a new case and get details as to why they say this will not work.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
stsargen
Cisco Employee
Cisco Employee

‎09-23-2022 12:51 PM - edited ‎09-23-2022 12:51 PM

AnyConnect can use several different factors for selecting the certificate to be used.  Have you looked at the VPN profile "Certificate Matching" section?

stsargen_0-1663962637550.png

 

Go to solution
NickBecirovic66634
Level 1
Level 1
In response to stsargen

‎09-23-2022 01:30 PM

I've had TAC opened in regards to this but they told me that this won't serve my function.  Is there more detailed guide that explains function of Certificate Matching and how it works?

Go to solution
stsargen
Cisco Employee
Cisco Employee
In response to NickBecirovic66634

‎09-23-2022 01:42 PM

Th AnyConnect admin guide has details on the certificate matching criteria.

https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect410/administration/guide/b-anyconnect-admin-guide-4-10/configure_vpn.html?bookSearch=true#ID-1428-000005e1

If TAC said it would not resolve your issue, we would need more details as to why it would not work and the configuration you are tying to use.

 

0 Helpful

Go to solution
NickBecirovic66634
Level 1
Level 1
In response to stsargen

‎09-23-2022 02:07 PM

I asked them same exact question that I posted here and they told me that Certificate Matching wouldn't work.  Case number:  694091196.  

So you're saying that Certificate Matching will work for what I need?

Go to solution
stsargen
Cisco Employee
Cisco Employee
In response to NickBecirovic66634

‎09-26-2022 05:13 AM

I don't know the exact scenario or configuration (certs etc) that you have installed so I can't say, but normally this is the solution when you want to narrow down the certs to be used.  If you can't find unique criteria to use for the single cert then you might end up with multiple matching.  Have you tried it?

0 Helpful

Go to solution
NickBecirovic66634
Level 1
Level 1
In response to stsargen

‎09-26-2022 06:21 AM

If I open TAC are you able to help?

0 Helpful

Go to solution
stsargen
Cisco Employee
Cisco Employee
In response to NickBecirovic66634

‎09-26-2022 06:38 AM

I am not in TAC, but I would suggest you open a new case and get details as to why they say this will not work.

0 Helpful

Go to solution
NickBecirovic66634
Level 1
Level 1
In response to stsargen

‎09-26-2022 12:01 PM

Yea I'll try again, thanks for your input.

0 Helpful
Top