2 Replies Latest reply: Jan 6, 2018 10:39 AM by laboggis RSS

AnyConnect Trusted Network Detection using Certificate Hash


Client Environment:-

  • Cisco ISE v2.3
  • Cisco AnyConnect v4.5 client (ISE Posture, NAM and AnyConnect modules)
  • Windows 10 PC’s with Machine certs issued by an Internal Sub Certificate Authority
    • AnyConnect NAM configured for EAP-TLS Authentication using Machine cert
  • Cisco Switches with 802.1x enabled in high Security Mode (Closed Mode)
  • Cisco ASA 5585 VPN Appliance
  • SSL VPN connection

We currently use AnyConnect Client v4.5 with Cisco ASA for SSL VPN.  We have Always-On and Trusted Network Detection (TND) configured on AnyConnect client using Domain DNS name and certificate check (URL). So the Trusted Network Detection disconnects the VPN is it see DNS suffix “MyComapny.com” and it has the right certificate Hash for a defined IP host.


  1. i.e. htps://x.y.z.v:443    = Hash=fdsajahfjhfkjfajhfjhfk43949324


We have multiple TND https://  entries to provide for resilience, i.e., htps://


The question being if TND certificate hash fails on the first, does it drop down to the next on the list? Or is it a case of it only drops to the next one if the first is unavailable?


Thanks Khalid

  • 1. Re: AnyConnect Trusted Network Detection using Certificate Hash



    If the server itself is not reachable we will try the next server.   You wont be able to add the server with an invalid hash and if you are able to do that then there is an issue.   I assume you are asking if the hash changes and is now invalid?  We should go down the list as ordered although I can not find this documented so that I can link you to it at this moment.  If I come across it I will respond back.




    Best regards,




    AC & ATS TME




  • 2. Re: AnyConnect Trusted Network Detection using Certificate Hash

    What is the expected behavior when multple Trusted Servers are defined?   And what is the expected behavior if one or more of the defined servers is reachable, but has an invalid hash (changed since initially added).  As you mention, I don't see this documented anywhere.  Are we simply looking for a single Trusted Server that is both reachable and passes hash check?  So we go down the list until those conditions are met for one defined server in the list?   If you find this formally documented somewhere, please post the doc link.  Thanks!