Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Anyconnect VPN Certificate-matching not working

Cisco Adaptive Security Appliance Software Version 9.1(4); Device Manager Version 7.1(5)100; anyconnect-win-3.1.05152-k9.pkg

 

Hello, I am trying to implement Certificate Matching for certain client profiles. However 'certificate matching' does not seem to work- another certificate is always selected instead for Anyconnect SSL VPN authentication.

For example the client has two client-certificates installed: masin2 and masin3. I have configured the client-profile certificate-matching to use masin2 for authentication, but Anyconnect still chooses masin3 instead.

The client-profile looks like this:

<CertificateMatch>
            <KeyUsage>
                <MatchKey>Key_Encipherment</MatchKey>
                <MatchKey>Digital_Signature</MatchKey>
            </KeyUsage>
            <ExtendedKeyUsage>
                <ExtendedMatchKey>ClientAuth</ExtendedMatchKey>
            </ExtendedKeyUsage>
            <DistinguishedName>
                <DistinguishedNameDefinition Operator="Equal" Wildcard="Disabled" MatchCase="Disabled">
                    <Name>CN</Name>
                    <Pattern>masin2</Pattern>
                </DistinguishedNameDefinition>
            </DistinguishedName>
        </CertificateMatch>

 

Any suggestions/ideas? thanks for any input,

heiki.

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Community Member

Issue was solved. I had to

Issue was solved. I had to include the ASA name/IP entry in the Client-Profile's serverlist.

For example:

Host Display Name (required): myASAname
FQDN or IP address: myASAname

With that configured the certificate matching works as needed.

7 REPLIES
Community Member

Try enabling the wildcard and

Try enabling the wildcard and see if it works.  I'd also get rid of the keyusage and extendedkey usage just to see if it works with just the cn check and then add back as needed.

Community Member

enabling wildcard did not

enabling wildcard did not help. also tried disabling/enabling automatic certificate selection- no luck.

I have also tried with and without different keyusage and extendedkeyusage- no difference.

The Client Profile is correctly updated on the client PC every time a change in made, but it seems like Anyconnect is not evaluating the Certificate Matching fields at all. And it seems like the problem is only with the CertificateMatch fields, because other fields are used as configured (for example: certificatestore, retainvpnonlogoff, usestartbeforelogon and so on).

I even upgraded Anyconnect to the latest version 3.1.05160 and still- anyconnect completely ignores certificatematch configuration in client-profile.

Hall of Fame Super Silver

Can you share the tunnel

Can you share the tunnel-group-map configuration in which you enable the rules and tell the ASA to match a certificate map?

(Reference this configuration guide section.)

Community Member

isnt that IPsec specific?Im

isnt that IPsec specific?

Im using SSL VPN and as far as i know, the client-side certificate matching happens locally on the client PC not on ASA. I need the client-PC to choose one of many certificates from the "current user" certificate store.

Community Member

Issue was solved. I had to

Issue was solved. I had to include the ASA name/IP entry in the Client-Profile's serverlist.

For example:

Host Display Name (required): myASAname
FQDN or IP address: myASAname

With that configured the certificate matching works as needed.

Hall of Fame Super Silver

Thanks for sharing the

Thanks for sharing the solution!

Cisco Employee

Re: Issue was solved. I had to

https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect40/administration/guide/b_AnyConnect_Administrator_Guide_4-0/anyconnect-profile-editor.html

 

You must include the ASA in the VPN profile’s server list in order for the client GUI to display all user controllable settings on the first connection. If you do not add the ASA address or FQDN as a host entry in the profile, then filters do not apply for the session. For example, if you create a certificate match and the certificate properly matches the criteria, but you do not add the ASA as a host entry in that profile, the certificate match is ignored.

2094
Views
5
Helpful
7
Replies
CreatePlease to create content