I've completed the configuration of an ASA5500 to support certificate authentication of DoD CACs and have everything working properly though I have an annoyance that I would like to fix:
When a client attempts to establish an SSL VPN Session using their CAC (smartcard) they are prompt twice to select a certificate if they have the SSL client installed, if they don't they get prompted THREE times to select a certificate.
All this seems rather inane and from a user perspective annoying. So my questions are:
1. Can the ASA be configured to use their first selected certificate from there on?
2. Can the SSL VPN Client be configured to select the appropriate certificate automatically?
3. If 1 and 2 are no, then how can I eliminate the excessive certificate prompts?
I would very much like to move away from bandwidth heavy IPSEC connections and be able to utilize the SSL VPN solution, though this simply isn't simple enough for my clients.