Hi all,

I am configuring a VPN based on Anyconnect and I would like to use a certificate-map to split internal and external users into two tunnel groups.

The objective is to redirect internal users (with a certificate signed by a specific CA) to the tunnel-group CP_internal, and all other users to the default tunnel-group.

Here is the current configuration:

crypto ca certificate map CM_internal 10

 issuer-name attr cn eq MyCompanyCA

crypto ca certificate map CM_default 20

webvpn

certificate-group-map CM_internal 10 CP_internal

certificate-group-map CM_default 20 DefaultVPNGroup  

tunnel-group CP_internal general-attributes

 authorization-required

tunnel-group CP_internal webvpn-attributes

 authentication certificate

tunnel-group DefaultVPNGroup  general-attributes

 authorization-required

tunnel-group DefaultVPNGroup  webvpn-attributes

 authentication certificate

When I try to connect with any device I get the message “Certificate Validation Failure”, but if I remove remove the “authorization-required” and “authentication certificate” commands from the DefaultVPNGroup, then I am always redirected to DefaultVPNGroup.

Here are few additional information to help troubleshooting:

• The authentication is not based on certificates in order to allow external users to connect.
• I added a Trustpoint for the internal CA
• The “debug crypto ca” and “debug aaa” are very quiet or not relevant.
• The “debug webvpn” command indicates that the certificate map is taken into account : “Certificate mapping found for webvpn group CP_internal”. I get the same message after removing “authorization-required” and “authentication certificate” commands everywhere.
• I am asked to choose a personal certificate when trying to connect

I was wondering if the feature can work when the authentication itself is not based on certificates but it seems that the certificate is correctly collected according to the logs.

Any thoughts ?

Thanks a lot.