cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
74
Views
0
Helpful
0
Replies

Certificate based authentication fails to match tunnel group

quadrabe
Beginner
Beginner

Hi

We're trying to use certificate based authentication for AnyConnect.

I was actually hoping that group-url https://vpn.xxx.com/poc enable would put the user in the correct Tunnel Group.
But as seen in the logs attached. That only happens when I configure a Certificate Map. Whenever no Certificate Map is configured we just get the log  "CRYPTO_PKI: No Tunnel Group Match for peer certificate." and "CERT_API: Unable to find tunnel group for cert using rules (SSL)"

XXX-VPN01# sh run tunnel-group TG_XXX
tunnel-group TG_XXX type remote-access
tunnel-group TG_XXX general-attributes
 default-group-policy default
 dhcp-server x.x.x.x
 dhcp-server x.x.x.x
 username-from-certificate CN
tunnel-group TG_XXX webvpn-attributes
 authentication certificate
 group-url https://vpn.xxx.com/poc enable

The issue now is whenever I put webvpn -> certificate-group-map CertificateMap TunnelGroup for the PoC Tunnel Group, all users get matched, even those using another link.

So the question is. How can I make sure that only users using the https://vpn.xxx.com/poc link are getting authenticated with the certificate? Preferably without Certificate Map.

0 REPLIES 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: