Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
378
Views
1
Helpful
2
Replies

Limit AnyConnect certificate selection list to single option (CAC PIV)

Go to solution
kenneth.kirchner
Level 1
Level 1

‎08-11-2023 12:29 PM

Can anyone direct me to the details about how to limit the certificates that show up when using AnyConnect VPN client to start a connection?  I have about 4 certificates that pop up each time, 3 of which are system certs for things like InTune or O365. The only valid cert is our DoD CAC PIV certificate so I would like to adjust the profile if possible to either list ONLY that cert or automatically select that cert.  I would think the CAC PIV is the only cert on the list with "Smart Card Logon (1.3.6.1.4.1.311.20.2.2)" enabled.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎08-11-2023 12:47 PM

@kenneth.kirchner you can use the AnyConnect Profile Editor to match on specific certificate attributes, thus automatically selecting the required certificate (ignoring the other 3 certificates).

https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect40/administration/guide/b_AnyConnect_Administrator_Guide_4-0/anyconnect-profile-editor.html#ID-1430-00000161

 

View solution in original post

2 Replies 2

Go to solution
Rob Ingram
VIP
VIP

‎08-11-2023 12:47 PM

@kenneth.kirchner you can use the AnyConnect Profile Editor to match on specific certificate attributes, thus automatically selecting the required certificate (ignoring the other 3 certificates).

https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect40/administration/guide/b_AnyConnect_Administrator_Guide_4-0/anyconnect-profile-editor.html#ID-1430-00000161

 

Go to solution
kenneth.kirchner
Level 1
Level 1
In response to Rob Ingram

‎08-13-2023 09:56 AM

Thank you! That looks to be exactly it.

Also, I have this bit of config to help anyone else who's supporting CAC:

<CertificateMatch>
<KeyUsage>
<MatchKey>Non_Repudiation</MatchKey> ***REMOVE LINE***
<MatchKey>Digital_Signature</MatchKey>
</KeyUsage>
<DistinguishedName>
<DistinguishedNameDefinition Operator="Equal" Wildcard="Enabled" MatchCase="Enabled">
<Name>ISSUER-CN</Name>
<Pattern>DOD EMAIL</Pattern> ***remove EMAIL text, just leave DOD***
</DistinguishedNameDefinition>
</DistinguishedName>
</CertificateMatch>

 

0 Helpful
Customers Also Viewed These Support Documents