Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3465
Views
6
Helpful
19
Replies

Anyconnect cert map on FTD?

Go to solution
AdamKoch58333
Level 1
Level 1

‎06-04-2023 04:30 AM

Just configured cert map for Anyconnect connection profile autoselection, with no luck.

 

Configuration:

Cert map matches subject email field with value "scep@company.com" -- if this condition is true, it should pick profile 2

Otherwise if no match is found, it should default to profile 1.

 

So, when configured, the option to select a profile still exists for the user when they click connect.  This seemed unexpected to me.

Next I saw there was a checkbox in FMC to disable connection profile selection, so I did this and deployed, and the option to select went away, however I now only get login failures.  Neither the cert map to profile 2, nor the default to profile 1 logic was ever referenced in my testing, so I rolled back.

 

Seems like this feature doesn't work?  Anyone know what I might be doing wrong?  Cert auth works just fine with my profiles, I'm just trying to force users into certain ones based on certificate attributes.

Labels:
0 Helpful
19 Replies 19

Go to solution
tvotna
Spotlight
Spotlight
In response to AdamKoch58333

‎07-31-2023 12:03 PM

Tunnel-group-map CLI is only for IKEv1 and generic/native IKEv2 clients, meaning that it is not for AnyConnect SSL or AnyConnect IKEv2 VPN. I don't know if this is documented somewhere.

 

Go to solution
AdamKoch58333
Level 1
Level 1
In response to tvotna

‎07-31-2023 11:59 AM - edited ‎07-31-2023 12:00 PM

After some more research I think this post explains well enough what is happening.

 

I think I must configure "DefaultWebVPNGroup" the same as Company_RA_Policy_1 (AAA Only)

 - this will satisfy TestPC1 requirements

Then cert map I must configure for an attribute that is not email address

 - this should bypass a potential bug and map properly, which will satisfy TestPC2 requirements

I will work with my Cisco SE to get FTDv software so I can lab in GNS3.  This will solidify my understanding.

Thanks for your time!

Go to solution
MHM Cisco World
VIP
VIP
In response to AdamKoch58333

‎07-31-2023 12:09 PM

So this issue is solved or not? 

Please confirm 

Thanks 

MHM

0 Helpful

Go to solution
AdamKoch58333
Level 1
Level 1
In response to MHM Cisco World

‎07-31-2023 12:10 PM

Can't confirm until I test in lab environment, which could take time to set up.  This is good enough for me, though.  You can call it solved.  

Go to solution
MHM Cisco World
VIP
VIP
In response to AdamKoch58333

‎07-31-2023 12:53 PM

Good luck and update me.

Have a nice summer 

Thanks 

MHM

0 Helpful
Customers Also Viewed These Support Documents