Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
751
Views
0
Helpful
1
Replies

Certificate matching criteria

Ken Stieers
VIP
VIP

‎11-08-2017 09:05 AM - edited ‎03-12-2019 04:43 AM

Hey everyone,

 

In the Certificate Matching criteria in AnyConnect client profiles, where you can pick parts of the Distinguished Name, are the criteria "Anded" or "Or'd"??

 

Capture.PNG

 

And for the certificate mapping to Tunnel group rule ("crypto ca certificate map"), same question, are the rules ANDed or ORd?

 

Thanks

Ken

Labels:
0 Helpful
1 Reply 1

ivomitt
Level 1
Level 1

‎08-31-2023 11:19 PM

Hi,

I had a case opened with TAC regarding the same question and bellow is their answer :

Kindly note that I did a lab test to check if the matching criteria in the “Distinguished Name” is “AND” or “OR”, and I confirmed that the matching criteria is “AND”, please check below results from my lab:

 

à I have added “ISSURE-CN” that is matching the issuer in my certificate, and I was able to connect successfully.

 

ivomitt_0-1693549028684.png

 

ivomitt_1-1693549028694.png

 

 

ivomitt_2-1693549028699.png

 

 

ivomitt_3-1693549028709.png

 

 

à I have added extra “ISSUER-CN” that is not matching the issuer in my certificate to confirm the matching criteria , and the connection failed due to certificate error :”Certificate Validation Failure”.

 

ivomitt_4-1693549028716.png

 

 

ivomitt_5-1693549028724.png

 

 

ivomitt_6-1693549028745.png

 

0 Helpful
Customers Also Viewed These Support Documents