Cisco VPN Client Readme file
============================


This file describes the contents of the Cisco VPN Client files for the Mac OS X platform

Refer to the Bug Navigator on Cisco Connection Online for open issues:
http://www.cisco.com/support/bugtools/bugtool.shtml


Revision: Release 4.8.00.0490
Files:    vpnclient-darwin-4.8.00.0490-k9.dmg

Contents:

Features

New Certificate features have been added to dynamically map a Certificate to a profile without
manual selection by the user.  See the Certificate notes at the end of this document for details.


Resolved Issues

CSCeh67124  unity clients should not filter local multi/broadcast beside firewall
CSCsb97777  unity mac 10.4 kernel module loaded error 51
CSCei02133  unity mac client install with uid 502
CSCei43441  unity mac 10.4 mtu drops with location switching and sleep
CSCei44573  unity mac 10.4 needs domain added from push

Unresolved Issues

CSCei48783  unity mac classic ping over 150 kernel panics
CSCsb93222  unity mac os x 10.4 server version kernel panic with afp


Revision: Release 4.7.00.0510 Rel
Files:     vpnclient-darwin-4.7.00.0510 Rel-k9.dmg
Contents: - See Release Notes for Release 4.6 at:
            http://www.cisco.com/univercd/cc/td/doc/product/vpn/client/index.htm



1. Certificate Distinguished Name Matching
Profile Keyword: CertMatchDN

Description:
This parameter specifies the wildcard string to match and select a particular certificate by its 
Distinguished Name, in the given certificate store, during a connection attempt. If multiple certificates 
are matched by the wildcard string, the first certificate that satisfies the wildcard string will be 
chosen.  The value of this parameter is a pseudo-regular expression, the format of which is exactly 
identical to that of the VerifyCertDN profile keyword.

Valid keywords for the wildcard string are:
        "CN" SubjectCommonName 
        "SN" SubjectSurName 
        "GN" SubjectGivenName 
        "N" SubjectUnstructName 
        "I" SubjectInitials 
        "GENQ" SubjectGenQualifier 
        "DNQ" SubjectDnQualifier 
        "C" SubjectCountry 
        "L" SubjectCity 
        "SP" SubjectState 
        "ST" SubjectState 
        "O" SubjectCompany 
        "OU" SubjectDept 
        "T" SubjectTitle 
        "EA" SubjectEmailAddr 

        "ISSUER-CN" IssuerCommonName 
        "ISSUER-SN" IssuerSurName 
        "ISSUER-GN" IssuerGivenName 
        "ISSUER-N" IssuerUnstructName 
        "ISSUER-I" IssuerInitials 
        "ISSUER-GENQ" IssuerGenQualifier 
        "ISSUER-DNQ" IssuerDnQualifier 
        "ISSUER-C" IssuerCountry 
        "ISSUER-L" IssuerCity 
        "ISSUER-SP" IssuerState 
        "ISSUER-ST" IssuerState 
        "ISSUER-O" IssuerCompany 
        "ISSUER-OU" IssuerDept 
        "ISSUER-T" IssuerTitle 
        "ISSUER-EA" IssuerEmailAddr

Example: 

CertMatchDN=CN="ID Cert",OU*"Cisco",ISSUER-CN!="Entrust",ISSUER-OU!*"wonderland"

CN="ID Cert"--Specifies an exact match on the CN.
OU*"Cisco"--Specifies any OU that contains the string "Cisco".
ISSUER-CN!"Entrust"--Specifies that the Issuer CN must not equal "Entrust".
ISSUER-OU!*"wonderland"--Specifies that the Issuer OU must not contain "wonderland".


2. Certificate Key Usage
vpnclient.ini [Main] keyword: CertificateKeyUsage 

Description:

This global parameter restricts the usage of Certificates from all stores to only those with the 
following Certificate Key Usage parameters: Digital Signature or Non-Repudiation.

If the "CertificateKeyUsage=1" when the client is launched, only Certificates with the proper key usage
will be displayed under the Certificates tab.  Also, profiles configured to use Certificates that do
not have the proper key usage will receive an error that the Certificate cannot be found.

The default for this keyword is "CertificateKeyUsage=0" which allows all available Certificates to be
selected and used.

This keyword overrides all other Certificate matching criteria, such as CertMatchDN.


3. Cerificate Extended Key Usage Matching
Profile Keyword: CertMatchEKU

Description:
This parameter specifies the list of Extended Key Usage fields that the client should honor. When 
this profile keyword is specified, the client looks only at those certs (irrespective of certificate 
store) whose Extended Key Usage fields match those that are specified by the profile keyword, during 
a connection attempt.

ie. When this profile keyword is specified, for any given cert, at least one of the Extended Key 
Usage fields specified in the profile keyword must be present in the certificate's Extended Key 
Usage field.

This keyword applies to connection attempts only and not to any other 
certificate-related operation (viz. listing certs, viewing certs, etc).
This keyword applies of all forms of certificate selection 
( viz. CertSerialHash, CertMatchDN, CertSubjectName, CertName).
The value of this keyword is a comma separated list of Extended Key Usage OID strings.

Example:
CertMatchEKU=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.1
1.3.6.1.5.5.7.3.2 => Client Authentication
1.3.6.1.5.5.7.3.1 => Server Authentication

Custom Extended Key Usage Strings must be of the form 
1.3.6.1.5.5.7.3.X, where X can be any number.


4. Certificate Key Usage Matching
Profile Keyword: CertMatchKU

Description:
The feature allows the profile selection of Certificates based on the Key Usage as well as the DN and 
Extended Key Usage fields.  This keyword overrides the vpnclient.ini keyword "CertificateKeyUsage".

CertMatchKU=0,3,4,5

DIGITAL_SIGNATURE  8
NON_REPUDIATION    7
KEY_ENCIPHERMENT   6
DATA_ENCIPHERMENT  5
KEY_AGREEMENT      4
KEY_CERT_SIGN      3
CRL_SIGN           2
ENCIPHER_ONLY      1
DECIPHER_ONLY      0

If the Certificate matches any of the usages in the CertMatchKU field, it will pass on to the next 
criteria.  Otherwise the Certificate will not be selected.

[Main]
Host=1.2.3.4
AuthType=3
CertStore=2
CertName=myMultipleCerts
CertMatchKU=7
!CertSubjectName=
!CertSerialHash=

If two identical Certificates except for Key Usage were available to the profile above, only the one 
with Non-Repudiation would be chosen.


5. Certificate Fall Through.
This behavior is implicit and does not have any profile keyword associated with it. For a given 
connection attempt, a certificate can be selected using one or more of four keywords given below 
(in order of precedence).

a) CertMatchEKU and CertMatchKU
b) CertSerialHash
c) CertMatchDN
d) CertSubjectName
e) CertName

If the client cannot find a cert in the given cert store using all four Certificate keywords noted above, 
the connection attempt fails.

Sample profile:

[Main]
Host=10.10.10.10
AuthType=3
CertStore=2
!UserName=
!UserPassword=
CertMatchKU=7
CertMatchEKU=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.1
CertMatchDN=issuer-ou*"vpn group",ea*"Cisco.com"
!CertSerialHash=

The profile above will only match certificates that have a Key Usage of "Non-Repudiation" AND have EITHER 
Client or Server Authentication in the Extended Key Usage.  The Issuer-ou field MUST contain "vpn group" 
and the email address for the user Certificate MUST contain "cisco.com" (case insensitive). 

The scenario above would allow a common workstation to connect users based on their smart card 
certificates.  A user could walk up, put in their card, and hit connect.  The generic profile above would
find the proper certificate on their card (without restarting the client or modifying the profile) and 
prompt them for their Certificate password, username, and password.  The concentrator could also be 
configured to connect without a username and rely entirely upon the Certificates for authentication.

Note the use of the "!" character in the profile.  This prevents the previous user's information from 
being retained between connections.