Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1373
Views
0
Helpful
6
Replies

is it possible to use anyconnect with two certificates for separate VPN profiles?

Mohamed Hamid
Level 1
Level 1

‎05-14-2014 04:28 AM - edited ‎02-21-2020 07:38 PM

Hi Guys

 

I am currently using anyconnect with only 1 VPN profile which is certificate based, I have this mapped on my ASA and have the following in my XML profile to tell my Mac OSx which cert to use 

 

CertificateMatch>
            <DistinguishedName>
                <DistinguishedNameDefinition Operator="Equal" Wildcard="Disabled" MatchCase="Enabled">
                    <Name>ISSUER-CN</Name>
                    <Pattern>NAME OF ISSUER</Pattern>
                </DistinguishedNameDefinition>
            </DistinguishedName>
        </CertificateMatch>

 

I now have a need to use another VPN profile on the same machine.. is it possible to use my XML profile to distinguish a certificate for each VPN profile connection?

 

Kind Regards

 

 

1 person had this problem
Labels:
0 Helpful
6 Replies 6

Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-14-2014 04:44 AM

Do you want to use a separate certificate for the same ASA or for a different ASA altogether?

In the former case I believe you'd have to disable the default automatic certificate selection and have the user choose from among the available certificates at the time of connection.

In the latter case, each connection uses a separate XML profile so it should be possible to have each profile's certificate match section specify the desired certificate while continuing to use the default "automatic certificate selection".

0 Helpful

Mohamed Hamid
Level 1
Level 1
In response to Marvin Rhoads

‎05-14-2014 04:56 AM

Hi Marvin

Many thanks for your excellent reply.

I am using Mac OSx and unfortunately I do not see the option to disable 'automatic certificate selection' in my preferences. This may be a Windows feature only?

This is for the same ASA and therefore as you mentioned the same XML profile, I did try and use a different XML profile but as you said that scenario is only for a different ASA..

Is there a different way in Mac OSx to disable auto cert selection?

 

Kind Regards

 

Mohamed 

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Mohamed Hamid

‎05-14-2014 05:01 AM

Mohamed,

Ah sorry - it is noted in the documentation that "This configuration is available only for Windows 7, XP, and Vista."

How does OSX behave if you don't have the CertificateMatch section in your xml profile while having multiple certificates in your local store?

0 Helpful

Mohamed Hamid
Level 1
Level 1
In response to Marvin Rhoads

‎05-14-2014 05:16 AM

Hi Marvin

Not a problem

If I have multiple certs in my keychain it will pick the first one installed I believe.

I have had a scenario where I could not VPN into a different connection (separate ASA, not cert based) until I removed my certificate for my original VPN profile. So it looks like it has 'automatic certificate selection' enabled by default

hmm looks like a feature request for Mac OSx...

 

 

 

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Mohamed Hamid

‎05-14-2014 05:30 AM

Yes, it looks like it.

I'm not a Mac user but the other solutions that come to mind would be based on using OS X features alone. For example, removing and replacing the certificate from your keychain to match the desired connection. You could also setup a separate user with their own keychain or other such workarounds.

0 Helpful

Mohamed Hamid
Level 1
Level 1
In response to Marvin Rhoads

‎05-14-2014 07:40 AM

Hi Marvin

Yeah that looks like the most straight forward approach to this, many thanks for your time :)

Mohamed

0 Helpful
Customers Also Viewed These Support Documents