Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1336
Views
0
Helpful
1
Replies

Mapping users to AnyConnect Connection Profiles based on certificate attributes

ROBERTO GIANA
Level 4
Level 4

‎09-28-2012 02:10 AM - edited ‎02-21-2020 06:22 PM

Hi

Is there a way to map users based on their certificate attributes to a specific "AnyConnect Connection Profile"? I tried to use the "Advanced/IPSec/Certificate to Connection Profile Maps". But whenever somebody connects all attribute tests fail. No matter what attribute we check, no matter what field we use as username. Is it realy supported on AnyConnect (as the mapping is confiugred in the IPSec part on the ASDM) or does AnyConnect only support the DefaultWebVPNGroup or what ever URL-alias the user connects to?

Labels:
0 Helpful
1 Reply 1

Javier Portuguez
Level 9
Level 9

‎09-28-2012 06:44 AM

Hi Roberto,

For this you could use a "certificate-map", as following:

tunnel-group Financials type remote-access

tunnel-group IT type remote-access

!

crypto ca certificate map AnyConnect_Map 10

subject-name co ou = financials

!

crypto ca certificate map AnyConnect_Map 20

subject-name co ou = it

!

webvpn

enable outside

certificate-group-map AnyConnect_Map 10 Financials

certificate-group-map AnyConnect_Map 20 IT

!

So in this case, I am looking at the OU attribute of each certificate.

Let me know if you have any questions.

Thanks.

Portu.

Please rate any helpful posts.

0 Helpful
Customers Also Viewed These Support Documents