cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4428
Views
5
Helpful
7
Replies

How to force VPN user to use specific Anyconnect profile

nikolag21
Level 1
Level 1

Hi all!

I have a few questions regarding anyconnect configuration in my environment.

 

I need to assign specific anyconnect profiles to different users. I've created 2 test profiles on my firewall and i found that every user can select both of them to connect. How to force specific profile for each user?

 

Can i use "Certificate to connection Profile Maps" to configure matching criteria for the specific user certificate? I've created one rule, configured certificate fields that needs to be match and mapped that rule to the specific anyconnect profile. But it looks like application only looks for a certificate in the user/computer store and makes connection without checking configured fields in ASA. This setting works with the old Cisco VPN Client.

 

I'm using ASA 5500-X firewall with Freeradius server for authentication.

 

Thanks in advance!

 

 

 

 

7 Replies 7

Hi,

 

for local users you can set the preferred group. for radius, i need to research more :)

grp.jpg

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

gaigl
Level 3
Level 3

you can use the certificate ... map, I did it too.

But you have to remove group-url and such things, also you need a client-profile where you set user/machine certificate, automatic cert-selection and so on.

not very easy but it works.

(We've a 5525-x with 9.8.3

Is there any possibility to get a small step guide for what you have done?

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

that's quit difficult, because we've got some other restrictions.

 

maybe some screenshots:

client-profile #1

policy1.JPG

client-profile #2

policy2.JPG

under tab "Server List" do not enter a group-url after the Servername

 

cert-map:

map.jpg

under AnyConnect Connection Profiles: (on the Bottom)

deactivate:

precedence.JPG

 

maybe this helps, I cannot make screenshots of every point with Anyconnect

Hi,

 

thanks for your effort on this :)

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

Thanks a lot for your help.

 

I've set my client and AnyConnect Connection profiles as you recommended, but again without success. 

 

I've tried few scenarios:

1. Client authentication certificate imported in Computer store on the PC /  Client profile on ASA with "Certificate Store:Machine"

    I'm getting message "No valid certificates available for authentication"

2. Server authentication certificate imported in Computer store on the PC /  Client profile on ASA with "Certificate Store:Machine"

    I'm getting message "No valid certificates available for authentication"

3. Client authentication certificate imported in User store on the PC /  Client profile on ASA with "Certificate Store:User"

   Connection established.

 

But still i cannot filter certificates according to the certificate fields set in the Mapping Criteria on ASA. Even when i have certificate with different CN imported in the user store on the client PC and different field for CN in Mapping Criteria, VPN connection is established without problem.

 

What i am doing wrong!?  

@ 2.: your Certificate needs "extended Key Usage: Client Auth" and in the Profile Editor you can activate this check.

 

But again: to use a Cert for Anyconnect-Connection, the Cert needs Key-Usage: Client Auth

 

and to use "Start before Logon" the Cert should be in the machine store

cert-usage.JPG

 

maybe have a look to "advanced - > ssl-settings.

 

or: does your ASA trust the CA?

 

I know it is a bit difficult

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: