I have been trying to find a solution to the following scenario for some time but with no luck.
Is there a way I can restrict the Cisco ASA or Concentrator to only accept client connections where the used certificate key usage is Non-Repudiation (or any other keyusage)only!
I realize that this can be done on the client side using the CertmatchKU setting in the vpnclient.ini file but that does not meet my needs of enforcing this on the server side, giving the client no control over this. The client can simply change the ini file or can install the Cisco VPN client on a different workstation and will be able to authenticate using any other certificate type where the keyusage is other than Non-Repudiation. Our Security Policy requires that this certificate type be enforced for VPN connections.
Any ideas or leads will be greatly appreciated.