Certificate Matching for machine authentication using the AnyConnect client

Unanswered Question
Aug 19th, 2009

I am attempting to preform AAA and certificate authentication for a specific profile for AnyConnect clients hitting my ASA5550. I am running 8.2 and have everything working except when I turn on the certificate matching. I am wondering if certificate matching is restricted to certs in the "personal" store on Windows machines of if it can be against a Domain cert in the Trusted Root store.

Also, what debugging can I do to see what exactly is failing when I attempt this configuration?

I have set the match criteris via the xml group policy which is attached (detail removed).

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
smalkeric Tue, 08/25/2009 - 07:56

The AnyConnect client supports the following certificate match types. Some or all of these may be used for client certificate matching. Certificate matching are global criteria that can be set in an AnyConnect profile. The criteria are:

•Key Usage

•Extended Key Usage

•Distinguished Name

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect20/administrative/guide/admin7.html#wp1000158

achraf.harkati@... Tue, 09/29/2009 - 11:03

What Anyconnect version are you using ?

have you tried version 2.4 (beta).

The only AnyConnect client working as expected when it comes to certificate match is this beta version. Trying all the other official release is a waist of time; all those official releases are full of bugs when it comes to certificate match.

Actions

This Discussion