Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
997
Views
0
Helpful
0
Replies

Certificate Matching - AnyConnect

GRANT3779
Spotlight
Spotlight

‎03-20-2023 07:17 AM

Hi CSC,

When configuring Certificate Matching attributes within a client profile is there a way to prefer certain criteria over another to make the choice of certificate deterministic in the event of there being multiple certs?

Currently I have the following -

AnyConnect setup is based on User Cert Auth. UPN is pulled from the cert, checked against ISE at the backend and relevant GP sent back depending on AD Group membership.

Certain scenarios occur where a user certificate is no longer valid, e.g laptop not been logged on for a long time. If they are in a remote location and unable to get to an office, they obviously can no longer authenticate to VPN. Few ways to get round this I have looked at, e.g another Tunnel Group with User/Pass auth and then going to ISE for AUTHZ checks. I've also considered a management tunnel using machine cert where our SD guys can then UNC to the device and put a temp cert on the desktop for the user. We are reluctant to put another Tunnel Group as we will need to then put out some notifications to end users.

What I am wondering is - The user cert is expired on the laptop. When they connect to AnyConnect will the AC client even attempt to use this certificate for Authentication or would it try another cert if available, if it had the following?

  • Key Usage: Digital_Signature
  • Extended Key Usage: Client Auth

 

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents