Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Certificate Matching for machine authentication using the AnyConnect client

I am attempting to preform AAA and certificate authentication for a specific profile for AnyConnect clients hitting my ASA5550. I am running 8.2 and have everything working except when I turn on the certificate matching. I am wondering if certificate matching is restricted to certs in the "personal" store on Windows machines of if it can be against a Domain cert in the Trusted Root store.

Also, what debugging can I do to see what exactly is failing when I attempt this configuration?

I have set the match criteris via the xml group policy which is attached (detail removed).


Re: Certificate Matching for machine authentication using the An

The AnyConnect client supports the following certificate match types. Some or all of these may be used for client certificate matching. Certificate matching are global criteria that can be set in an AnyConnect profile. The criteria are:

•Key Usage

•Extended Key Usage

•Distinguished Name

New Member

Re: Certificate Matching for machine authentication using the An

What Anyconnect version are you using ?

have you tried version 2.4 (beta).

The only AnyConnect client working as expected when it comes to certificate match is this beta version. Trying all the other official release is a waist of time; all those official releases are full of bugs when it comes to certificate match.