Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
376
Views
0
Helpful
1
Replies

VPN Concentrator/ASA question

vpnrunner
Level 1
Level 1

‎07-13-2009 12:09 PM - edited ‎02-21-2020 03:34 AM

I have been trying to find a solution to the following scenario for some time but with no luck.

Is there a way I can restrict the Cisco ASA or Concentrator to only accept client connections where the used certificate key usage is Non-Repudiation (or any other keyusage)only!

I realize that this can be done on the client side using the CertmatchKU setting in the vpnclient.ini file but that does not meet my needs of enforcing this on the server side, giving the client no control over this. The client can simply change the ini file or can install the Cisco VPN client on a different workstation and will be able to authenticate using any other certificate type where the keyusage is other than Non-Repudiation. Our Security Policy requires that this certificate type be enforced for VPN connections.

Any ideas or leads will be greatly appreciated.

0 Helpful
1 Reply 1

lh_onetwo
Level 1
Level 1

‎07-21-2009 04:32 AM

Hello,

I have exactly the same problem, I'd like to restrict client authentications to certificates having their extended key usage set to non-repudiation.

Do you have any idea how to do this ?

Thanks for your help,

Valery.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card