AnyConnect Client Profile Editor Bug

khash · ‎05-28-2026

Hi,

I believe there is a bug with AnyConnect - Client Profile Editor (both the software version and the cloud editor in Cisco Cloud Client Management portal)

In certificate matching section when you enable "Match only certificates with extended key usage" it doesn't actually get enabled and does not apply to the XML file.

The option for "Match only certificates with key usage" works correctly. Just the one for extended key usage seems to have an issue.

aleabrahao · ‎05-28-2026

The user interface element exists, but it is either not correctly mapped to the XML schema, or the underlying XML element is obsolete/not compatible with current versions of the Secure Client.

This results in the absence of a <ExtendedKeyUsage>flag or equivalent, causing a silent failure (no warning in the editor).

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

khash · ‎05-28-2026

Hi @aleabrahao

<ExtendedKeyUsage> is related to a different setting which is working fine in my case.

When you enable "Match only certificates with key usage", the editor correctly adds the element <MatchOnlyCertsWithKU>

Therefore, when enabling "Match only certificates with extended key usage" I would expect an XML element along the lines of <MatchOnlyCertsWithEKU>, but no such thing is added. And when you reopen the XML using the editor, it shows the option as unchecked. This just means the editor doesn't do anything when you check this option.

Is Cisco decommissioning this setting from the editors? If not, could Cisco look into fixing this?

aleabrahao · ‎05-28-2026

I suggest you open a support case.

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.