Re: AnyConnect Certificate Authentication with Dynamic IP Pool Selection

hurricane05 · ‎07-22-2021

We are in the process of testing Cisco AnyConnect authentication using AD user certificates (haven't got machine certificate working just yet). Our goal with using certificates is to use the Always-On feature and therefor not having to have a user entering username/password. Our production AnyConnect VPN (username & password) process is setup using a Windows Network Policy Server (NPS) as our RADIUS for authentication. Within the NPS, we have policies setup to detect what AD group a user is assigned to and base on that will get an IP address from one of the different IP pools configured on the ASA.

Now with using Certificate authentication only, that apparently stops the process of checking the NPS to see what group a user is a member of in order to get assigned to the correct IP pool. Is there a way to accomplish still without having to create separate custom URL links for the different groups of users? Any examples will be greatly appreciated.

Goal - Use AD user certificate to authenticate to VPN and assign the user to the correct IP Pool based on AD group membership.

Thx in advance for any help given.

Rob Ingram · ‎07-22-2021

@hurricane05

When using certificate authentication on the ASA, the certificate is checked against only the ASA to determine if valid. There would be no authentication request being sent to the RADIUS server.

You can still send authorisation information to the RADIUS server, which can be used to return the IP pool accordingly.

hurricane05 · ‎07-24-2021

Thx for the response. Do you have any specific examples available you can provide so I can see how to accomplish that?