Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
788
Views
0
Helpful
2
Replies

Question about Cert Maps

Go to solution
gaigl
Level 3
Level 3

‎08-06-2018 04:13 AM - edited ‎03-12-2019 05:28 AM

Hello,

 

at the moment we are using only one anyconnect connection profile, but soon we need a second one.

I want to build a "Certificate to AnyConnect and Clientless SSL VPN Connection Profile Map", where the connection profile should be selected by a machine Cert on the client. This can be achieved by a "Cert Map, no problem.

 

But how can i prevent a user on the client to manually change the connection-profile by appending the "wrong" group-url repectively alias?

 

One group has a cert with cn=client1.aaa.int, should only use connection-profile aaa, another group has a cert with cn=client1.bbb.int should only use connection-profile bbb

 

ASA has v 9.8.2, Anyconnect 4.6.01103

 

any idea's?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎08-06-2018 05:52 AM

How is your current Tunnel-group and group-url setup? For your setup, I would think you only need one tunnel-group with a group-url configured, say vpn.domain.com. All the other tunnel-groups need not have a group-url configured on them. That way, the other users have no way to go to another group-url other than the main one. 

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎08-06-2018 05:52 AM

How is your current Tunnel-group and group-url setup? For your setup, I would think you only need one tunnel-group with a group-url configured, say vpn.domain.com. All the other tunnel-groups need not have a group-url configured on them. That way, the other users have no way to go to another group-url other than the main one. 

0 Helpful

Go to solution
gaigl
Level 3
Level 3
In response to Rahul Govindan

‎09-17-2018 12:42 AM

deleting the Group-URL and Alias did the Job, now I cannot change the Connection Profile manually.

Decisions are only made by the Cert Map.

 

Thanks a lot

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents