7-13
Cisco AnyConnect VPN Client Administrator Guide
OL-12950-012
Chapter 7 Configuring and Using AnyConnect Client Operating Modes and User Profiles
Configuring Profile Attributes
• DATA_ENCIPHERMENT
• KEY_AGREEMENT
• KEY_CERT_SIGN
• CRL_SIGN
• ENCIPHER_ONLY
• DECIPHER_ONLY
The profile can contain none or more matching criteria. If
one or more criteria are specified, a certificate
must match at least one to be considered a matching certificate.
The example in C
ertificate Matching Example, page 7-15 shows how you might configure these
attributes.
Extended Certificate Key Usage Matching
This matching allows an administrator to limit the certificates that can be used by the client, based on
the Extended Key Usage fields. Table 7-3 lists the well known set of constraints with their corresponding
object identifiers (OIDs).
As an administrator, you can add your own OIDs if the OID you want is not in the well known set. The
p
rofile can contain none or more matching criteria. A certificate must match all specified criteria to be
considered a matching certificate. See profile example in Appendix A, “Sample AnyConnect Profile and
XML Schema” for an example.
Certificate Distinguished Name Mapping
The certificate distinguished name mapping capability allows an administrator to limit the certificates
that can be used by the client to those matching the specified criteria and criteria match conditions.
Table 7-4 lists the supported criteria:
Ta b l e 7-3 Extended Certificate Key Usage
Constraint OID
serverAuth 1.3.6.1.5.5.7.3.1
clientAuth 1.3.6.1.5.5.7.3.2
codeSign 1.3.6.1.5.5.7.3.3
emailProtect 1.3.6.1.5.5.7.3.4
ipsecEndSystem 1.3.6.1.5.5.7.3.5
ipsecTunnel 1.3.6.1.5.5.7.3.6
ipsecUser 1.3.6.1.5.5.7.3.7
timeStamp 1.3.6.1.5.5.7.3.8
OCSPSign 1.3.6.1.5.5.7.3.9
dvcs 1.3.6.1.5.5.7.3.10
To Next Page
Loading...
Need help?
General