I am trying to accomplish next scenario:
a) ASA is configured as local CA and it issues certificates for Anyconnect VPN clients - OK
b) when VPN user install issued certificate in its Personal folder that certificate should be used for authentication
Now, the following is what I want to do:
1) when user goes to https://ip_add_ASA it should be automatically authenticated with certificate. It is not the problem even if pop up window appears asking to choose certificate, but it would be nice if that would go automatically
2) using cert -> tunnel group map it should be connected using THAT specific connection profile, and then anyconnect installation should start, together with downloading profile for that specific group-policy, which is connected to that specific tunnel-group.
I was able to do all of the above when I use DefaultWebVP group. So, is it possible to do it like this without enabling tunnel list under webvpn:
A) user has a cert and he goes to https://ip_add_ASA. ASA automatically search for cert in Personal container (since the ASA is issuer)
B) user is authenticated ONLY with that cert and automatically connected via SSL using tunnel-group defined in cert -> tunnel-group map
C) at the end anyconnect client is downloaded and installed, together with predefined profile, which user CANNOT change
Are you locking the user(s) to the desired connection profile?
Configuration > Remote Access VPN > AAA/Local Users > Edit User > VPN Policy, then deselct "Inherit" on Connection Profile (Tunnel Group) Lock and choose the one you want to force them to use.
I've managed to resolve this issue succesfully. Something was wrong with certificate mapping.
The strange thing now is when the VPN user disconnects SSL session in ASA's log I can see some strange IP address (not the one the user establishes the VPN connection):
This is log when establishing and the public IP is correct:
Mar 24 2014 19:41:41 722051 Group <GP_TEST_ANYCONNECT> User <testuser> IP <85.114.X.Y> IPv4 Address <10.100.100.1> IPv6 address <::> assigned to session
And this is when disconnecting:
Mar 24 2014 19:42:20 113019 Group = TG_TEST_ANYCONNECT, Username = testuser, IP = 188.8.131.52, Session disconnected. Session Type: SSL, Duration: 0h:00m:43s, Bytes xmt: 11506, Bytes rcv: 1096, Reason: User Requested
Glad to hear it's working.
I have seen some other folks report having to remove and replace certificate mapping associations when setting that up.