Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Anyconnect Network Access Manager picks wrong certificate

Hello,

In you premises we use wireless with certificates authentication. Problem is "Anyconnect Network Access Manager" picks up wrong user certificates for authentication. Its because in the windows certificates "Personal" store employees have two certs:

1. <username> (for example "ivan")

2. <username>@companyname.com (for example "ivan@companyname.com")

Wireless should use <username> (no domain) certificate. There is a tool called Anyconnect Profile Editor which we used to create Wireless profile, one of the fields which has to be filled is certificates identity patter. From the "Network Access Manager Admin guide":

---------------------------------------

You must identify a User Identity. The Network Access Manager supports these identity placeholder patterns when you specify user identities:

[username]—Specifies the username.

[domain]—Specifies the domain of the user's PC.

If a client certificate is used for authentication, the placeholder values for [username] and [password] are obtained from various X509 certificate properties. The properties are analyzed in the order described below, according to the first match. For example, if the identity is userA@cisco.com (where username=userA and domain=cisco.com) for user authentication and hostA.cisco.com (where username=hostA and domain=cisco.com) for machine authentication, the following properties are analyzed:

*SubjectAlternativeName: UPN = userA@companyname.com

*Subject = .../CN=userA@companyname.com/...

*Subject = userA@companyname.com

*Subject = .../CN=userA/DC=companyname.com/...

*Subject = userA (no domain)

---------------------------------------

As per above problem exists that certificate without domain would be picked up last even if we use Identity pattern without domain:

Identity pattern: [username] (without @[domain] at the end)

Or there should be a way to edit pattern that it would avoid [domain] field while looking for certs or modify order of certificate look ups.

Any help would be really appreciated.

Thanks!

Ivan

2 REPLIES
New Member

Anyconnect Network Access Manager picks wrong certificate

I am running into the same issue since our Microsoft Lync 2010 rollout.  Lync installs a certificate that matches NAM's algorithm at a higher priority than the trusted certificates we have been using for authentication.

The Lync certificates are in the form: subject=CN=user@domain.com

The correct certificates are in the form: subject=.../CN=user/...

Any other NAM users with certificates also rolling out Lync out there?

Thanks!
Alex

New Member

Anyconnect Network Access Manager picks wrong certificate

Hi There,

Like Ivan & Alex we are experiencing a similar issue - AnyConnect NAM selecting wrong certificate.

We have all laptops issued with a "Machine Certifcate" from Microsoft CA which we want to Authenticate with.

However NAM is selecting a "User Certificate" that was installed by Microsoft LYNC 2010.

Is there any way for us to configure NAM to use "Machine Certificate" even when a "User Ceritifcate" is present.

Thanks

Jim.

973
Views
0
Helpful
2
Replies
CreatePlease to create content