Showing results for 
Search instead for 
Did you mean: 

Anyconnect automatic conn profile selection based on certificate?


I am trying to accomplish next scenario:

a) ASA is configured as local CA and it issues certificates for Anyconnect VPN clients - OK

b) when VPN user install issued certificate in its Personal folder that certificate should be used for authentication

Now, the following is what I want to do:

1) when user goes to https://ip_add_ASA it should be automatically authenticated with certificate. It is not the problem even if pop up window appears asking to choose certificate, but it would be nice if that would go automatically

2) using cert -> tunnel group map it should be connected using THAT specific connection profile, and then anyconnect installation should start, together with downloading profile for that specific group-policy, which is connected to that specific tunnel-group.


I was able to do all of the above when I use DefaultWebVP group. So, is it possible to do it like this without enabling tunnel list under webvpn:

A) user has a cert and he goes to https://ip_add_ASA. ASA automatically search for cert in Personal container (since the ASA is issuer)

B) user is authenticated ONLY with that cert and automatically connected via SSL using tunnel-group defined in cert -> tunnel-group map

C) at the end anyconnect client is downloaded and installed, together with predefined profile, which user CANNOT change



Marvin Rhoads
Hall of Fame Guru

Are you locking the user(s) to the desired connection profile?

Configuration > Remote Access VPN > AAA/Local Users > Edit User > VPN Policy, then deselct "Inherit" on Connection Profile (Tunnel Group) Lock and choose the one you want to force them to use.


I've managed to resolve this issue succesfully. Something was wrong with certificate mapping.

The strange thing now is when the VPN user disconnects SSL session in ASA's log I can see some strange IP address (not the one the user establishes the VPN connection):

This is log when establishing and the public IP is correct:

Mar 24 2014    19:41:41    722051                    Group <GP_TEST_ANYCONNECT> User <testuser> IP <85.114.X.Y> IPv4 Address <> IPv6 address <::> assigned to session

And this is when disconnecting:

Mar 24 2014    19:42:20    113019                    Group = TG_TEST_ANYCONNECT, Username = testuser, IP =, Session disconnected. Session Type: SSL, Duration: 0h:00m:43s, Bytes xmt: 11506, Bytes rcv: 1096, Reason: User Requested


Glad to hear it's working.

I have seen some other folks report having to remove and replace certificate mapping associations when setting that up.

Content for Community-Ad