08-06-2018 04:13 AM - edited 03-12-2019 05:28 AM
Hello,
at the moment we are using only one anyconnect connection profile, but soon we need a second one.
I want to build a "Certificate to AnyConnect and Clientless SSL VPN Connection Profile Map", where the connection profile should be selected by a machine Cert on the client. This can be achieved by a "Cert Map, no problem.
But how can i prevent a user on the client to manually change the connection-profile by appending the "wrong" group-url repectively alias?
One group has a cert with cn=client1.aaa.int, should only use connection-profile aaa, another group has a cert with cn=client1.bbb.int should only use connection-profile bbb
ASA has v 9.8.2, Anyconnect 4.6.01103
any idea's?
Solved! Go to Solution.
08-06-2018 05:52 AM
How is your current Tunnel-group and group-url setup? For your setup, I would think you only need one tunnel-group with a group-url configured, say vpn.domain.com. All the other tunnel-groups need not have a group-url configured on them. That way, the other users have no way to go to another group-url other than the main one.
08-06-2018 05:52 AM
How is your current Tunnel-group and group-url setup? For your setup, I would think you only need one tunnel-group with a group-url configured, say vpn.domain.com. All the other tunnel-groups need not have a group-url configured on them. That way, the other users have no way to go to another group-url other than the main one.
09-17-2018 12:42 AM
deleting the Group-URL and Alias did the Job, now I cannot change the Connection Profile manually.
Decisions are only made by the Cert Map.
Thanks a lot
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: