Cisco Adaptive Security Appliance Software Version 9.1(4); Device Manager Version 7.1(5)100; anyconnect-win-3.1.05152-k9.pkg
Hello, I am trying to implement Certificate Matching for certain client profiles. However 'certificate matching' does not seem to work- another certificate is always selected instead for Anyconnect SSL VPN authentication.
For example the client has two client-certificates installed: masin2 and masin3. I have configured the client-profile certificate-matching to use masin2 for authentication, but Anyconnect still chooses masin3 instead.
enabling wildcard did not help. also tried disabling/enabling automatic certificate selection- no luck.
I have also tried with and without different keyusage and extendedkeyusage- no difference.
The Client Profile is correctly updated on the client PC every time a change in made, but it seems like Anyconnect is not evaluating the Certificate Matching fields at all. And it seems like the problem is only with the CertificateMatch fields, because other fields are used as configured (for example: certificatestore, retainvpnonlogoff, usestartbeforelogon and so on).
I even upgraded Anyconnect to the latest version 3.1.05160 and still- anyconnect completely ignores certificatematch configuration in client-profile.
Im using SSL VPN and as far as i know, the client-side certificate matching happens locally on the client PC not on ASA. I need the client-PC to choose one of many certificates from the "current user" certificate store.
You must include the ASA in the VPN profile’s server list in order for the client GUI to display all user controllable settings on the first connection. If you do not add the ASA address or FQDN as a host entry in the profile, then filters do not apply for the session. For example, if you create a certificate match and the certificate properly matches the criteria, but you do not add the ASA as a host entry in that profile, the certificate match is ignored.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...