cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
431
Views
3
Helpful
3
Replies

AnyConnect client gets wrong Group Policy

tiwang
Level 3
Level 3

hi out there

I have a "funny" problem - we have a ASA AnyConnect VPN hub supporting many users - and different type of users. For each type of user we have different Connection profiles and corressponding Group Policies. They are all certificate authenticated. But i have a small problem becuase users from one Connection profile - which in fact is assigned a corresponding Group Policy - get the wrong Group Policy assigned. Sicne they are identical and almost only difference there is the certificate issuer no-one has noticed it - but the issue is that they in fact due to the wrong Group Policy gets the wrong AnyConnect profile pushed from the VPNHUB. And again - since these ALSO aremaintained trough Device management tools no-one noticed this - before i suddenly looked close at it on the monitoring where i noticed that of around 900 online users we had those with another tunnelgroup assigned the wrong GroupPolicy - and hereby got a wrong for them XML file pushed. 
I have a certificate map for some of the tunnel-groups but not for the one which get the wrong GroupPolicy assigned. 
The Group URL takes precedence if Group URL and Certificate Map match different connection profiles - but it doesnt look to me as if this is the problem - has anyone suggestions?

3 Replies 3

https://integratingit.wordpress.com/2023/07/14/ftd-anyconnect-certificate-map/

Use cert. Map to assign correct policy for each cert.

MHM

tvotna
Spotlight
Spotlight

As of ASA 8.4.2 certificate maps have preference over group-url: "tunnel-group-preference group-url" is OFF by default.

Secondly, if none of certificate maps matched, "group-url" is used fir binding as a fallback method. This is not documented. Probably you hit this scenario.

 

That's great info, I've been looking for whether the cert-map could fallback to group-url but couldn't find it documented.