Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

is it possible to use anyconnect with two certificates for separate VPN profiles?

Hi Guys

 

I am currently using anyconnect with only 1 VPN profile which is certificate based, I have this mapped on my ASA and have the following in my XML profile to tell my Mac OSx which cert to use 

 

CertificateMatch>
            <DistinguishedName>
                <DistinguishedNameDefinition Operator="Equal" Wildcard="Disabled" MatchCase="Enabled">
                    <Name>ISSUER-CN</Name>
                    <Pattern>NAME OF ISSUER</Pattern>
                </DistinguishedNameDefinition>
            </DistinguishedName>
        </CertificateMatch>

 

I now have a need to use another VPN profile on the same machine.. is it possible to use my XML profile to distinguish a certificate for each VPN profile connection?

 

Kind Regards

 

 

6 REPLIES
Hall of Fame Super Silver

Do you want to use a separate

Do you want to use a separate certificate for the same ASA or for a different ASA altogether?

In the former case I believe you'd have to disable the default automatic certificate selection and have the user choose from among the available certificates at the time of connection.

In the latter case, each connection uses a separate XML profile so it should be possible to have each profile's certificate match section specify the desired certificate while continuing to use the default "automatic certificate selection".

Community Member

Hi MarvinMany thanks for your

Hi Marvin

Many thanks for your excellent reply.

I am using Mac OSx and unfortunately I do not see the option to disable 'automatic certificate selection' in my preferences. This may be a Windows feature only?

This is for the same ASA and therefore as you mentioned the same XML profile, I did try and use a different XML profile but as you said that scenario is only for a different ASA..

Is there a different way in Mac OSx to disable auto cert selection?

 

Kind Regards

 

Mohamed 

Hall of Fame Super Silver

Mohamed,Ah sorry - it is

Mohamed,

Ah sorry - it is noted in the documentation that "This configuration is available only for Windows 7, XP, and Vista."

How does OSX behave if you don't have the CertificateMatch section in your xml profile while having multiple certificates in your local store?

Community Member

Hi MarvinNot a problemIf I

Hi Marvin

Not a problem

If I have multiple certs in my keychain it will pick the first one installed I believe.

I have had a scenario where I could not VPN into a different connection (separate ASA, not cert based) until I removed my certificate for my original VPN profile. So it looks like it has 'automatic certificate selection' enabled by default

hmm looks like a feature request for Mac OSx...

 

 

 

Hall of Fame Super Silver

Yes, it looks like it.I'm not

Yes, it looks like it.

I'm not a Mac user but the other solutions that come to mind would be based on using OS X features alone. For example, removing and replacing the certificate from your keychain to match the desired connection. You could also setup a separate user with their own keychain or other such workarounds.

Community Member

Hi MarvinYeah that looks like

Hi Marvin

Yeah that looks like the most straight forward approach to this, many thanks for your time :)

Mohamed

220
Views
0
Helpful
6
Replies
CreatePlease to create content