03-31-2014 02:57 AM - edited 02-21-2020 07:34 PM
Cisco Adaptive Security Appliance Software Version 9.1(4); Device Manager Version 7.1(5)100; anyconnect-win-3.1.05152-k9.pkg
Hello, I am trying to implement Certificate Matching for certain client profiles. However 'certificate matching' does not seem to work- another certificate is always selected instead for Anyconnect SSL VPN authentication.
For example the client has two client-certificates installed: masin2 and masin3. I have configured the client-profile certificate-matching to use masin2 for authentication, but Anyconnect still chooses masin3 instead.
The client-profile looks like this:
<CertificateMatch>
<KeyUsage>
<MatchKey>Key_Encipherment</MatchKey>
<MatchKey>Digital_Signature</MatchKey>
</KeyUsage>
<ExtendedKeyUsage>
<ExtendedMatchKey>ClientAuth</ExtendedMatchKey>
</ExtendedKeyUsage>
<DistinguishedName>
<DistinguishedNameDefinition Operator="Equal" Wildcard="Disabled" MatchCase="Disabled">
<Name>CN</Name>
<Pattern>masin2</Pattern>
</DistinguishedNameDefinition>
</DistinguishedName>
</CertificateMatch>
Any suggestions/ideas? thanks for any input,
heiki.
Solved! Go to Solution.
04-09-2014 01:55 AM
Issue was solved. I had to include the ASA name/IP entry in the Client-Profile's serverlist.
For example:
Host Display Name (required): myASAname
FQDN or IP address: myASAname
With that configured the certificate matching works as needed.
03-31-2014 11:27 AM
Try enabling the wildcard and see if it works. I'd also get rid of the keyusage and extendedkey usage just to see if it works with just the cn check and then add back as needed.
04-01-2014 12:20 AM
enabling wildcard did not help. also tried disabling/enabling automatic certificate selection- no luck.
I have also tried with and without different keyusage and extendedkeyusage- no difference.
The Client Profile is correctly updated on the client PC every time a change in made, but it seems like Anyconnect is not evaluating the Certificate Matching fields at all. And it seems like the problem is only with the CertificateMatch fields, because other fields are used as configured (for example: certificatestore, retainvpnonlogoff, usestartbeforelogon and so on).
I even upgraded Anyconnect to the latest version 3.1.05160 and still- anyconnect completely ignores certificatematch configuration in client-profile.
04-01-2014 11:23 AM
Can you share the tunnel-group-map configuration in which you enable the rules and tell the ASA to match a certificate map?
(Reference this configuration guide section.)
04-02-2014 01:05 AM
isnt that IPsec specific?
Im using SSL VPN and as far as i know, the client-side certificate matching happens locally on the client PC not on ASA. I need the client-PC to choose one of many certificates from the "current user" certificate store.
04-09-2014 01:55 AM
Issue was solved. I had to include the ASA name/IP entry in the Client-Profile's serverlist.
For example:
Host Display Name (required): myASAname
FQDN or IP address: myASAname
With that configured the certificate matching works as needed.
04-09-2014 08:04 AM
Thanks for sharing the solution!
09-05-2017 01:01 PM
You must include the ASA in the VPN profile’s server list in order for the client GUI to display all user controllable settings on the first connection. If you do not add the ASA address or FQDN as a host entry in the profile, then filters do not apply for the session. For example, if you create a certificate match and the certificate properly matches the criteria, but you do not add the ASA as a host entry in that profile, the certificate match is ignored.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide