Cisco 5505 Administration Guide - Page 79

Chapter 7 Configuring and Using AnyConnect Client Operating Modes and User Profiles Configuring Profile Attributes • DATA_ENCIPHERMENT • KEY_AGREEMENT • KEY_CERT_SIGN • CRL_SIGN • ENCIPHER_ONLY • DECIPHER_ONLY The profile can contain none or more matching criteria. If one or more criteria are specified, a certificate must match at least one to be considered a matching certificate. The example in Certificate Matching Example, page 7-15 shows how you might configure these attributes. Extended Certificate Key Usage Matching This matching allows an administrator to limit the certificates that can be used by the client, based on the Extended Key Usage fields. Table 7-3 lists the well known set of constraints with their corresponding object identifiers (OIDs). Table 7-3 Extended Certificate Key Usage Constraint serverAuth clientAuth codeSign emailProtect ipsecEndSystem ipsecTunnel ipsecUser timeStamp OCSPSign dvcs OID 1.3.6.1.5.5.7.3.1 1.3.6.1.5.5.7.3.2 1.3.6.1.5.5.7.3.3 1.3.6.1.5.5.7.3.4 1.3.6.1.5.5.7.3.5 1.3.6.1.5.5.7.3.6 1.3.6.1.5.5.7.3.7 1.3.6.1.5.5.7.3.8 1.3.6.1.5.5.7.3.9 1.3.6.1.5.5.7.3.10 As an administrator, you can add your own OIDs if the OID you want is not in the well known set. The profile can contain none or more matching criteria. A certificate must match all specified criteria to be considered a matching certificate. See profile example in Appendix A, "Sample AnyConnect Profile and XML Schema" for an example. Certificate Distinguished Name Mapping The certificate distinguished name mapping capability allows an administrator to limit the certificates that can be used by the client to those matching the specified criteria and criteria match conditions. Table 7-4 lists the supported criteria: OL-12950-012 Cisco AnyConnect VPN Client Administrator Guide 7-13