When you are using
AnyConnect VPN certificate authentication, AnyConnect client will send the
client certificate to the VPN server to verify the identity of the user (VPN
server will authenticate the user certificate against CA Root certificate +
Expiry + Revocation OCSP/CRL).
Anyconnect VPN
Client will browse the all certificate stores (by default) on user's machine and will select
the user certificate based on the following:
- If no certificate matching criteria is specified in AnyConnect VPN Profile, AnyConnect applies the following certificate matching rules:
- Key Usage: Digital_Signature
- Extended Key Usage: Client Auth
- If any criteria matching specifications are made in the profile, neither of these matching rules are applied unless they are specifically listed in the profile.
For reference:
Now, I
had a client certificate which is having the KU and EKU as follow:
Also, I didn't
define certificate matching criteria assuming that default of anyconnect client
will pick the certificate based on my KU and EKU. This worked on Android, iOS, MAC OSX, Windows Server
2008, but not on windows 7/8 pro.
The workaround was
to define certificate matching criteria as follow: