Previously my openconnect server deployment plan utilizes PAM authentication (via Kerberos/Active Directory) as the primary authentication method. It works but it’s complicated (password every time). I just enabled certificate authentication today and it worked fine.
Things to note
- Enable certificate authentication as an alternative authentication method (up to you, but some guys in our domain don’t use certificate-capable device)
- Use “Smartcard Logon” certificate template with subject information in “Common Name” style
- Set OID 126.96.36.199 as user identifier in openconnect server configuration
- Provision root CA, CRL and OCSP (CRL and OCSP are optional but essential as part of the best-practice)
I provisioned the same certificate in my Yubikey PIV and TPM-based virtual smartcard, but neither works for AnyConnect client. Certificate in user certificate store is fine.