Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1221
Views
0
Helpful
3
Replies

Anyconnect automatic conn profile selection based on certificate?

ivanbarkic
Level 1
Level 1

‎03-24-2014 10:15 AM - edited ‎02-21-2020 07:34 PM

Hi,

I am trying to accomplish next scenario:

a) ASA is configured as local CA and it issues certificates for Anyconnect VPN clients - OK

b) when VPN user install issued certificate in its Personal folder that certificate should be used for authentication

Now, the following is what I want to do:

1) when user goes to https://ip_add_ASA it should be automatically authenticated with certificate. It is not the problem even if pop up window appears asking to choose certificate, but it would be nice if that would go automatically

2) using cert -> tunnel group map it should be connected using THAT specific connection profile, and then anyconnect installation should start, together with downloading profile for that specific group-policy, which is connected to that specific tunnel-group.

 

I was able to do all of the above when I use DefaultWebVP group. So, is it possible to do it like this without enabling tunnel list under webvpn:

A) user has a cert and he goes to https://ip_add_ASA. ASA automatically search for cert in Personal container (since the ASA is issuer)

B) user is authenticated ONLY with that cert and automatically connected via SSL using tunnel-group defined in cert -> tunnel-group map

C) at the end anyconnect client is downloaded and installed, together with predefined profile, which user CANNOT change

 

Thanks

Labels:
0 Helpful
3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

‎03-24-2014 11:03 AM

Are you locking the user(s) to the desired connection profile?

Configuration > Remote Access VPN > AAA/Local Users > Edit User > VPN Policy, then deselct "Inherit" on Connection Profile (Tunnel Group) Lock and choose the one you want to force them to use.

0 Helpful

ivanbarkic
Level 1
Level 1

‎03-24-2014 11:49 AM

I've managed to resolve this issue succesfully. Something was wrong with certificate mapping.

The strange thing now is when the VPN user disconnects SSL session in ASA's log I can see some strange IP address (not the one the user establishes the VPN connection):

This is log when establishing and the public IP is correct:

Mar 24 2014    19:41:41    722051                    Group <GP_TEST_ANYCONNECT> User <testuser> IP <85.114.X.Y> IPv4 Address <10.100.100.1> IPv6 address <::> assigned to session

And this is when disconnecting:

Mar 24 2014    19:42:20    113019                    Group = TG_TEST_ANYCONNECT, Username = testuser, IP = 172.198.136.160, Session disconnected. Session Type: SSL, Duration: 0h:00m:43s, Bytes xmt: 11506, Bytes rcv: 1096, Reason: User Requested

??

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to ivanbarkic

‎03-24-2014 12:27 PM

Glad to hear it's working.

I have seen some other folks report having to remove and replace certificate mapping associations when setting that up.

0 Helpful
Customers Also Viewed These Support Documents