12-07-2018 08:19 AM - edited 02-21-2020 09:31 PM
Hi all!
I have a few questions regarding anyconnect configuration in my environment.
I need to assign specific anyconnect profiles to different users. I've created 2 test profiles on my firewall and i found that every user can select both of them to connect. How to force specific profile for each user?
Can i use "Certificate to connection Profile Maps" to configure matching criteria for the specific user certificate? I've created one rule, configured certificate fields that needs to be match and mapped that rule to the specific anyconnect profile. But it looks like application only looks for a certificate in the user/computer store and makes connection without checking configured fields in ASA. This setting works with the old Cisco VPN Client.
I'm using ASA 5500-X firewall with Freeradius server for authentication.
Thanks in advance!
12-11-2018 01:06 AM
Hi,
for local users you can set the preferred group. for radius, i need to research more :)
12-11-2018 02:39 AM
you can use the certificate ... map, I did it too.
But you have to remove group-url and such things, also you need a client-profile where you set user/machine certificate, automatic cert-selection and so on.
not very easy but it works.
(We've a 5525-x with 9.8.3
12-11-2018 03:00 AM
Is there any possibility to get a small step guide for what you have done?
12-11-2018 03:19 AM
that's quit difficult, because we've got some other restrictions.
maybe some screenshots:
client-profile #1
client-profile #2
under tab "Server List" do not enter a group-url after the Servername
cert-map:
under AnyConnect Connection Profiles: (on the Bottom)
deactivate:
maybe this helps, I cannot make screenshots of every point with Anyconnect
12-11-2018 03:51 AM
Hi,
thanks for your effort on this :)
12-11-2018 04:30 AM
Thanks a lot for your help.
I've set my client and AnyConnect Connection profiles as you recommended, but again without success.
I've tried few scenarios:
1. Client authentication certificate imported in Computer store on the PC / Client profile on ASA with "Certificate Store:Machine"
I'm getting message "No valid certificates available for authentication"
2. Server authentication certificate imported in Computer store on the PC / Client profile on ASA with "Certificate Store:Machine"
I'm getting message "No valid certificates available for authentication"
3. Client authentication certificate imported in User store on the PC / Client profile on ASA with "Certificate Store:User"
Connection established.
But still i cannot filter certificates according to the certificate fields set in the Mapping Criteria on ASA. Even when i have certificate with different CN imported in the user store on the client PC and different field for CN in Mapping Criteria, VPN connection is established without problem.
What i am doing wrong!?
12-11-2018 05:28 AM
@ 2.: your Certificate needs "extended Key Usage: Client Auth" and in the Profile Editor you can activate this check.
But again: to use a Cert for Anyconnect-Connection, the Cert needs Key-Usage: Client Auth
and to use "Start before Logon" the Cert should be in the machine store
maybe have a look to "advanced - > ssl-settings.
or: does your ASA trust the CA?
I know it is a bit difficult
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: