03-24-2014 10:15 AM - edited 02-21-2020 07:34 PM
Hi,
I am trying to accomplish next scenario:
a) ASA is configured as local CA and it issues certificates for Anyconnect VPN clients - OK
b) when VPN user install issued certificate in its Personal folder that certificate should be used for authentication
Now, the following is what I want to do:
1) when user goes to https://ip_add_ASA it should be automatically authenticated with certificate. It is not the problem even if pop up window appears asking to choose certificate, but it would be nice if that would go automatically
2) using cert -> tunnel group map it should be connected using THAT specific connection profile, and then anyconnect installation should start, together with downloading profile for that specific group-policy, which is connected to that specific tunnel-group.
I was able to do all of the above when I use DefaultWebVP group. So, is it possible to do it like this without enabling tunnel list under webvpn:
A) user has a cert and he goes to https://ip_add_ASA. ASA automatically search for cert in Personal container (since the ASA is issuer)
B) user is authenticated ONLY with that cert and automatically connected via SSL using tunnel-group defined in cert -> tunnel-group map
C) at the end anyconnect client is downloaded and installed, together with predefined profile, which user CANNOT change
Thanks
03-24-2014 11:03 AM
Are you locking the user(s) to the desired connection profile?
Configuration > Remote Access VPN > AAA/Local Users > Edit User > VPN Policy, then deselct "Inherit" on Connection Profile (Tunnel Group) Lock and choose the one you want to force them to use.
03-24-2014 11:49 AM
I've managed to resolve this issue succesfully. Something was wrong with certificate mapping.
The strange thing now is when the VPN user disconnects SSL session in ASA's log I can see some strange IP address (not the one the user establishes the VPN connection):
This is log when establishing and the public IP is correct:
Mar 24 2014 19:41:41 722051 Group <GP_TEST_ANYCONNECT> User <testuser> IP <85.114.X.Y> IPv4 Address <10.100.100.1> IPv6 address <::> assigned to session
And this is when disconnecting:
Mar 24 2014 19:42:20 113019 Group = TG_TEST_ANYCONNECT, Username = testuser, IP = 172.198.136.160, Session disconnected. Session Type: SSL, Duration: 0h:00m:43s, Bytes xmt: 11506, Bytes rcv: 1096, Reason: User Requested
??
03-24-2014 12:27 PM
Glad to hear it's working.
I have seen some other folks report having to remove and replace certificate mapping associations when setting that up.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide