Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1909
Views
0
Helpful
4
Replies

Anyconnect connection profile

Go to solution
rajmohan30
Level 1
Level 1

‎12-24-2020 10:41 AM

Hi Team,

I have couple of questions and challenging to find the answers. Would you pls clarify me on the below items ?

 

1) Under the tunnel-group config, we have the group-url along with group-alias is configured. Which means when the user connects to the vpn with that URL, the connection profile automatically assigned to that users as far as i understood.

I also see certificate mapping to connection profile is configured for the same. I don't know which one takes precedence here between group-url vs certificate map and not sure how to check if the certificate mapping is used (any show command to check) or simply sitting idle in the config.

 

2) We are using Cert only auth method using digital cert and the username is extracted from the cert and checked against LDAP server for authorization.. Can you please explain me the purpose of authz here ? Is it an additional security check and it does make any impacts to the connection in case of authz fails ?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
rajmohan30
Level 1
Level 1
In response to MHM Cisco World

‎12-28-2020 09:21 AM

Hi,

 

Thanks for the confirmation.. Seems by default, the connection profile to cert map takes the precedence but there is an option to make group-url to take the precedence (the checkbox is disabled by default). Thanks all for your feedback/comments.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Rob Ingram
VIP
VIP

‎12-24-2020 11:15 AM

Hi @rajmohan30 

When the users firsts attempts to connect to the ASA, they will connect to the tunnel-group/connection profile as specified in the anyconnect profile or manually entered. When the ASA processes the connection, if a certificate map exists and is matched then this would take precedence.

 

Authorization can be used to push down additional attributes to the connected user, e.g. ACL, DHCP pool per AD group etc. If you fail AuthZ then you don't get connected.

 

HTH

0 Helpful

Go to solution
rajmohan30
Level 1
Level 1
In response to Rob Ingram

‎12-25-2020 04:43 AM

Hi,

Thanks for the response. Is there any show command to check if the certificate map to connection profile had any hits ?

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎12-26-2020 07:57 AM

webvpn 
cert.group "depend on issuer" webvpn
tunnel-group webvpn
group-alias

As I understand the cert. determine the tunnel-group,
i.e. it happened before the alias.
https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/116111-11611-config-double-authen-00.html#anc16

 

0 Helpful

Go to solution
rajmohan30
Level 1
Level 1
In response to MHM Cisco World

‎12-28-2020 09:21 AM

Hi,

 

Thanks for the confirmation.. Seems by default, the connection profile to cert map takes the precedence but there is an option to make group-url to take the precedence (the checkbox is disabled by default). Thanks all for your feedback/comments.

0 Helpful
Customers Also Viewed These Support Documents