Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN Concentrator/ASA question

I have been trying to find a solution to the following scenario for some time but with no luck.

Is there a way I can restrict the Cisco ASA or Concentrator to only accept client connections where the used certificate key usage is Non-Repudiation (or any other keyusage)only!

I realize that this can be done on the client side using the CertmatchKU setting in the vpnclient.ini file but that does not meet my needs of enforcing this on the server side, giving the client no control over this. The client can simply change the ini file or can install the Cisco VPN client on a different workstation and will be able to authenticate using any other certificate type where the keyusage is other than Non-Repudiation. Our Security Policy requires that this certificate type be enforced for VPN connections.

Any ideas or leads will be greatly appreciated.

  • Security Management
New Member

Re: VPN Concentrator/ASA question


I have exactly the same problem, I'd like to restrict client authentications to certificates having their extended key usage set to non-repudiation.

Do you have any idea how to do this ?

Thanks for your help,