cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Cisco Community will be experiencing a downtime on 17/Dec/18 02:20 AM GMT-0600 / 17-Dec 12 AM PST for 15 mins. Sorry for the inconvenience.

139
Views
5
Helpful
7
Replies
Highlighted
Beginner

How to force VPN user to use specific Anyconnect profile

Hi all!

I have a few questions regarding anyconnect configuration in my environment.

 

I need to assign specific anyconnect profiles to different users. I've created 2 test profiles on my firewall and i found that every user can select both of them to connect. How to force specific profile for each user?

 

Can i use "Certificate to connection Profile Maps" to configure matching criteria for the specific user certificate? I've created one rule, configured certificate fields that needs to be match and mapped that rule to the specific anyconnect profile. But it looks like application only looks for a certificate in the user/computer store and makes connection without checking configured fields in ASA. This setting works with the old Cisco VPN Client.

 

I'm using ASA 5500-X firewall with Freeradius server for authentication.

 

Thanks in advance!

 

 

 

 

7 REPLIES
Participant

Re: How to force VPN user to use specific Anyconnect profile

Hi,

 

for local users you can set the preferred group. for radius, i need to research more :)

grp.jpg

Beginner

Re: How to force VPN user to use specific Anyconnect profile

you can use the certificate ... map, I did it too.

But you have to remove group-url and such things, also you need a client-profile where you set user/machine certificate, automatic cert-selection and so on.

not very easy but it works.

(We've a 5525-x with 9.8.3

Participant

Re: How to force VPN user to use specific Anyconnect profile

Is there any possibility to get a small step guide for what you have done?

Beginner

Re: How to force VPN user to use specific Anyconnect profile

that's quit difficult, because we've got some other restrictions.

 

maybe some screenshots:

client-profile #1

policy1.JPG

client-profile #2

policy2.JPG

under tab "Server List" do not enter a group-url after the Servername

 

cert-map:

map.jpg

under AnyConnect Connection Profiles: (on the Bottom)

deactivate:

precedence.JPG

 

maybe this helps, I cannot make screenshots of every point with Anyconnect

Participant

Re: How to force VPN user to use specific Anyconnect profile

Hi,

 

thanks for your effort on this :)

Beginner

Re: How to force VPN user to use specific Anyconnect profile

Thanks a lot for your help.

 

I've set my client and AnyConnect Connection profiles as you recommended, but again without success. 

 

I've tried few scenarios:

1. Client authentication certificate imported in Computer store on the PC /  Client profile on ASA with "Certificate Store:Machine"

    I'm getting message "No valid certificates available for authentication"

2. Server authentication certificate imported in Computer store on the PC /  Client profile on ASA with "Certificate Store:Machine"

    I'm getting message "No valid certificates available for authentication"

3. Client authentication certificate imported in User store on the PC /  Client profile on ASA with "Certificate Store:User"

   Connection established.

 

But still i cannot filter certificates according to the certificate fields set in the Mapping Criteria on ASA. Even when i have certificate with different CN imported in the user store on the client PC and different field for CN in Mapping Criteria, VPN connection is established without problem.

 

What i am doing wrong!?  

Beginner

Re: How to force VPN user to use specific Anyconnect profile

@ 2.: your Certificate needs "extended Key Usage: Client Auth" and in the Profile Editor you can activate this check.

 

But again: to use a Cert for Anyconnect-Connection, the Cert needs Key-Usage: Client Auth

 

and to use "Start before Logon" the Cert should be in the machine store

cert-usage.JPG

 

maybe have a look to "advanced - > ssl-settings.

 

or: does your ASA trust the CA?

 

I know it is a bit difficult

CreatePlease to create content
Ask the Expert- DMVPN on Cisco routers