We're trying to use certificate based authentication for AnyConnect.
I was actually hoping that group-url https://vpn.xxx.com/poc enable would put the user in the correct Tunnel Group. But as seen in the logs attached. That only happens when I configure a Certificate Map. Whenever no Certificate Map is configured we just get the log "CRYPTO_PKI: No Tunnel Group Match for peer certificate." and "CERT_API: Unable to find tunnel group for cert using rules (SSL)"
XXX-VPN01# sh run tunnel-group TG_XXX
tunnel-group TG_XXX type remote-access
tunnel-group TG_XXX general-attributes
tunnel-group TG_XXX webvpn-attributes
group-url https://vpn.xxx.com/poc enable
The issue now is whenever I put webvpn -> certificate-group-map CertificateMap TunnelGroup for the PoC Tunnel Group, all users get matched, even those using another link.
So the question is. How can I make sure that only users using the https://vpn.xxx.com/poc link are getting authenticated with the certificate? Preferably without Certificate Map.