Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1697
Views
0
Helpful
2
Replies

Anyconnect Network Access Manager picks wrong certificate

NEWBAY_IT
Level 1
Level 1

‎12-09-2011 02:51 AM - edited ‎02-21-2020 05:45 PM

Hello,

In you premises we use wireless with certificates authentication. Problem is "Anyconnect Network Access Manager" picks up wrong user certificates for authentication. Its because in the windows certificates "Personal" store employees have two certs:

1. <username> (for example "ivan")

2. <username>@companyname.com (for example "ivan@companyname.com")

Wireless should use <username> (no domain) certificate. There is a tool called Anyconnect Profile Editor which we used to create Wireless profile, one of the fields which has to be filled is certificates identity patter. From the "Network Access Manager Admin guide":

---------------------------------------

You must identify a User Identity. The Network Access Manager supports these identity placeholder patterns when you specify user identities:

[username]—Specifies the username.

[domain]—Specifies the domain of the user's PC.

If a client certificate is used for authentication, the placeholder values for [username] and [password] are obtained from various X509 certificate properties. The properties are analyzed in the order described below, according to the first match. For example, if the identity is userA@cisco.com (where username=userA and domain=cisco.com) for user authentication and hostA.cisco.com (where username=hostA and domain=cisco.com) for machine authentication, the following properties are analyzed:

*SubjectAlternativeName: UPN = userA@companyname.com

*Subject = .../CN=userA@companyname.com/...

*Subject = userA@companyname.com

*Subject = .../CN=userA/DC=companyname.com/...

*Subject = userA (no domain)

---------------------------------------

As per above problem exists that certificate without domain would be picked up last even if we use Identity pattern without domain:

Identity pattern: [username] (without @[domain] at the end)

Or there should be a way to edit pattern that it would avoid [domain] field while looking for certs or modify order of certificate look ups.

Any help would be really appreciated.

Thanks!

Ivan

Labels:
Preview file
69 KB
Preview file
91 KB
0 Helpful
2 Replies 2

aheck
Level 1
Level 1

‎05-31-2012 10:03 AM

I am running into the same issue since our Microsoft Lync 2010 rollout.  Lync installs a certificate that matches NAM's algorithm at a higher priority than the trusted certificates we have been using for authentication.

The Lync certificates are in the form: subject=CN=user@domain.com

The correct certificates are in the form: subject=.../CN=user/...

Any other NAM users with certificates also rolling out Lync out there?

Thanks!
Alex

0 Helpful

Jim Bell
Level 1
Level 1
In response to aheck

‎06-25-2012 01:59 AM

Hi There,

Like Ivan & Alex we are experiencing a similar issue - AnyConnect NAM selecting wrong certificate.

We have all laptops issued with a "Machine Certifcate" from Microsoft CA which we want to Authenticate with.

However NAM is selecting a "User Certificate" that was installed by Microsoft LYNC 2010.

Is there any way for us to configure NAM to use "Machine Certificate" even when a "User Ceritifcate" is present.

Thanks

Jim.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents