topic Certificate based authentication fails to match tunnel group in Network Security https://community.cisco.com/t5/network-security/certificate-based-authentication-fails-to-match-tunnel-group/m-p/4658567#M1092194 <P>Hi</P><P>We're trying to use certificate based authentication for AnyConnect.</P><P>I was actually hoping that group-url&nbsp;<A href="https://vpn.xxx.com/poc" target="_blank">https://vpn.xxx.com/poc</A> enable would put the user in the correct Tunnel Group.<BR />But as seen in the logs attached. That only happens when I configure a Certificate Map. Whenever no Certificate Map is configured we just get the log&nbsp; "CRYPTO_PKI: No Tunnel Group Match for peer certificate." and "CERT_API: Unable to find tunnel group for cert using rules (SSL)<SPAN>"</SPAN></P><LI-CODE lang="markup">XXX-VPN01# sh run tunnel-group TG_XXX tunnel-group TG_XXX type remote-access tunnel-group TG_XXX general-attributes default-group-policy default dhcp-server x.x.x.x dhcp-server x.x.x.x username-from-certificate CN tunnel-group TG_XXX webvpn-attributes authentication certificate group-url https://vpn.xxx.com/poc enable</LI-CODE><P>The issue now is whenever I put webvpn -&gt; certificate-group-map CertificateMap TunnelGroup for the PoC Tunnel Group, all users get matched, even those using another link.</P><P>So the question is. How can I make sure that only users using the&nbsp;<A href="https://vpn.xxx.com/poc" target="_blank">https://vpn.xxx.com/poc</A>&nbsp;link are getting authenticated with the certificate? Preferably without Certificate Map.</P> Wed, 27 Jul 2022 13:16:27 GMT quadrabe 2022-07-27T13:16:27Z Certificate based authentication fails to match tunnel group https://community.cisco.com/t5/network-security/certificate-based-authentication-fails-to-match-tunnel-group/m-p/4658567#M1092194 <P>Hi</P><P>We're trying to use certificate based authentication for AnyConnect.</P><P>I was actually hoping that group-url&nbsp;<A href="https://vpn.xxx.com/poc" target="_blank">https://vpn.xxx.com/poc</A> enable would put the user in the correct Tunnel Group.<BR />But as seen in the logs attached. That only happens when I configure a Certificate Map. Whenever no Certificate Map is configured we just get the log&nbsp; "CRYPTO_PKI: No Tunnel Group Match for peer certificate." and "CERT_API: Unable to find tunnel group for cert using rules (SSL)<SPAN>"</SPAN></P><LI-CODE lang="markup">XXX-VPN01# sh run tunnel-group TG_XXX tunnel-group TG_XXX type remote-access tunnel-group TG_XXX general-attributes default-group-policy default dhcp-server x.x.x.x dhcp-server x.x.x.x username-from-certificate CN tunnel-group TG_XXX webvpn-attributes authentication certificate group-url https://vpn.xxx.com/poc enable</LI-CODE><P>The issue now is whenever I put webvpn -&gt; certificate-group-map CertificateMap TunnelGroup for the PoC Tunnel Group, all users get matched, even those using another link.</P><P>So the question is. How can I make sure that only users using the&nbsp;<A href="https://vpn.xxx.com/poc" target="_blank">https://vpn.xxx.com/poc</A>&nbsp;link are getting authenticated with the certificate? Preferably without Certificate Map.</P> Wed, 27 Jul 2022 13:16:27 GMT https://community.cisco.com/t5/network-security/certificate-based-authentication-fails-to-match-tunnel-group/m-p/4658567#M1092194 quadrabe 2022-07-27T13:16:27Z