VPN Concentrator/ASA question

Unanswered Question
Jul 13th, 2009
User Badges:

I have been trying to find a solution to the following scenario for some time but with no luck.

Is there a way I can restrict the Cisco ASA or Concentrator to only accept client connections where the used certificate key usage is Non-Repudiation (or any other keyusage)only!

I realize that this can be done on the client side using the CertmatchKU setting in the vpnclient.ini file but that does not meet my needs of enforcing this on the server side, giving the client no control over this. The client can simply change the ini file or can install the Cisco VPN client on a different workstation and will be able to authenticate using any other certificate type where the keyusage is other than Non-Repudiation. Our Security Policy requires that this certificate type be enforced for VPN connections.

Any ideas or leads will be greatly appreciated.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
lh_onetwo Tue, 07/21/2009 - 04:32
User Badges:


I have exactly the same problem, I'd like to restrict client authentications to certificates having their extended key usage set to non-repudiation.

Do you have any idea how to do this ?

Thanks for your help,



This Discussion