Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
338
Views
0
Helpful
0
Replies

Certificate based authentication fails to match tunnel group

quadrabe
Level 1
Level 1

‎07-27-2022 06:16 AM

Hi

We're trying to use certificate based authentication for AnyConnect.

I was actually hoping that group-url https://vpn.xxx.com/poc enable would put the user in the correct Tunnel Group.
But as seen in the logs attached. That only happens when I configure a Certificate Map. Whenever no Certificate Map is configured we just get the log  "CRYPTO_PKI: No Tunnel Group Match for peer certificate." and "CERT_API: Unable to find tunnel group for cert using rules (SSL)"

XXX-VPN01# sh run tunnel-group TG_XXX
tunnel-group TG_XXX type remote-access
tunnel-group TG_XXX general-attributes
 default-group-policy default
 dhcp-server x.x.x.x
 dhcp-server x.x.x.x
 username-from-certificate CN
tunnel-group TG_XXX webvpn-attributes
 authentication certificate
 group-url https://vpn.xxx.com/poc enable

The issue now is whenever I put webvpn -> certificate-group-map CertificateMap TunnelGroup for the PoC Tunnel Group, all users get matched, even those using another link.

So the question is. How can I make sure that only users using the https://vpn.xxx.com/poc link are getting authenticated with the certificate? Preferably without Certificate Map.

Preview file
11 KB
0 Helpful
0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card