Wednesday, 21 January 2015

Cisco AnyConnect VPN Certificate Matching with Windows

Today I faced strange behavior while deploying anyconnect VPN certificate authentication on windows 7/8. It looks to me as a bug but didn't see this listed in Cisco bug toolkit.


When you are using AnyConnect VPN certificate authentication, AnyConnect client will send the client certificate to the VPN server to verify the identity of the user (VPN server will authenticate the user certificate against CA Root certificate + Expiry + Revocation OCSP/CRL).

Anyconnect VPN Client will browse the all certificate stores (by default) on user's machine and will select the user certificate based on the following:

  1. If no certificate matching criteria is specified in AnyConnect VPN Profile, AnyConnect applies the following certificate matching rules:

  • Key Usage: Digital_Signature
  • Extended Key Usage: Client Auth

  1. If any criteria matching specifications are made in the profile, neither of these matching rules are applied unless they are specifically listed in the profile.

For reference:
 
Now, I had a client certificate which is having the KU and EKU as follow:
Also, I didn't define certificate matching criteria assuming that default of anyconnect client will pick the certificate based on my KU and EKU. This worked on Android, iOS, MAC OSX, Windows Server 2008, but not on windows 7/8 pro.

The workaround was to define certificate matching criteria as follow: