05-14-2014 04:28 AM - edited 02-21-2020 07:38 PM
Hi Guys
I am currently using anyconnect with only 1 VPN profile which is certificate based, I have this mapped on my ASA and have the following in my XML profile to tell my Mac OSx which cert to use
CertificateMatch>
<DistinguishedName>
<DistinguishedNameDefinition Operator="Equal" Wildcard="Disabled" MatchCase="Enabled">
<Name>ISSUER-CN</Name>
<Pattern>NAME OF ISSUER</Pattern>
</DistinguishedNameDefinition>
</DistinguishedName>
</CertificateMatch>
I now have a need to use another VPN profile on the same machine.. is it possible to use my XML profile to distinguish a certificate for each VPN profile connection?
Kind Regards
05-14-2014 04:44 AM
Do you want to use a separate certificate for the same ASA or for a different ASA altogether?
In the former case I believe you'd have to disable the default automatic certificate selection and have the user choose from among the available certificates at the time of connection.
In the latter case, each connection uses a separate XML profile so it should be possible to have each profile's certificate match section specify the desired certificate while continuing to use the default "automatic certificate selection".
05-14-2014 04:56 AM
Hi Marvin
Many thanks for your excellent reply.
I am using Mac OSx and unfortunately I do not see the option to disable 'automatic certificate selection' in my preferences. This may be a Windows feature only?
This is for the same ASA and therefore as you mentioned the same XML profile, I did try and use a different XML profile but as you said that scenario is only for a different ASA..
Is there a different way in Mac OSx to disable auto cert selection?
Kind Regards
Mohamed
05-14-2014 05:01 AM
Mohamed,
Ah sorry - it is noted in the documentation that "This configuration is available only for Windows 7, XP, and Vista."
How does OSX behave if you don't have the CertificateMatch section in your xml profile while having multiple certificates in your local store?
05-14-2014 05:16 AM
Hi Marvin
Not a problem
If I have multiple certs in my keychain it will pick the first one installed I believe.
I have had a scenario where I could not VPN into a different connection (separate ASA, not cert based) until I removed my certificate for my original VPN profile. So it looks like it has 'automatic certificate selection' enabled by default
hmm looks like a feature request for Mac OSx...
05-14-2014 05:30 AM
Yes, it looks like it.
I'm not a Mac user but the other solutions that come to mind would be based on using OS X features alone. For example, removing and replacing the certificate from your keychain to match the desired connection. You could also setup a separate user with their own keychain or other such workarounds.
05-14-2014 07:40 AM
Hi Marvin
Yeah that looks like the most straight forward approach to this, many thanks for your time :)
Mohamed
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide