- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-23-2022 11:42 AM
Recently I deployed certificate auth for our remote VPN clients and it works for the most part, but for Win users that have multiple Personal certificates AnyConnect has no way of selecting correct machine cert that is coming from our CA so I had to build a bypass for those users to just use AD cred / MFA.
Does anyone know if there is a way to specify AnyConnect to use specific cert for authentication based on CA or CN, OU...
I tried contacting TAC with no help and our Cisco rep as well.
Solved! Go to Solution.
- Labels:
-
AnyConnect
-
Clientless SSL
-
Remote Access
-
VPN
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-26-2022 06:38 AM
I am not in TAC, but I would suggest you open a new case and get details as to why they say this will not work.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-23-2022 12:51 PM - edited 09-23-2022 12:51 PM
AnyConnect can use several different factors for selecting the certificate to be used. Have you looked at the VPN profile "Certificate Matching" section?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-23-2022 01:30 PM
I've had TAC opened in regards to this but they told me that this won't serve my function. Is there more detailed guide that explains function of Certificate Matching and how it works?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-23-2022 01:42 PM
Th AnyConnect admin guide has details on the certificate matching criteria.
If TAC said it would not resolve your issue, we would need more details as to why it would not work and the configuration you are tying to use.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-23-2022 02:07 PM
I asked them same exact question that I posted here and they told me that Certificate Matching wouldn't work. Case number: 694091196.
So you're saying that Certificate Matching will work for what I need?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-26-2022 05:13 AM
I don't know the exact scenario or configuration (certs etc) that you have installed so I can't say, but normally this is the solution when you want to narrow down the certs to be used. If you can't find unique criteria to use for the single cert then you might end up with multiple matching. Have you tried it?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-26-2022 06:21 AM
If I open TAC are you able to help?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-26-2022 06:38 AM
I am not in TAC, but I would suggest you open a new case and get details as to why they say this will not work.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-26-2022 12:01 PM
Yea I'll try again, thanks for your input.
