Showing posts from January, 2015

Cisco AnyConnect VPN Certificate Matching with Windows

Today I faced strange behavior while deploying anyconnect VPN certificate authentication on windows 7/8. It looks to me as a bug but didn't see this listed in Cisco bug toolkit.

When you are using AnyConnect VPN certificate authentication, AnyConnect client will send the client certificate to the VPN server to verify the identity of the user (VPN server will authenticate the user certificate against CA Root certificate + Expiry + Revocation OCSP/CRL).
Anyconnect VPN Client will browse the all certificate stores (by default) on user's machine and will select the user certificate based on the following:
If no certificate matching criteria is specified in AnyConnect VPN Profile, AnyConnect applies the following certificate matching rules:
Key Usage: Digital_SignatureExtended Key Usage: Client Auth
If any criteria matching specifications are made in the profile, neither of these matching rules are applied unless they are specifically listed in the profile.