anyconnect machine cert only auth with ldap authz

VLAN-0 · ‎03-19-2025

hello,

I am having issues finding documentation matching a scenario i am trying to test with Secure Client AnyConnect.

FMC + FTD 7.4 / secure client 5

Is it possible to make the following configuration work:

> Authentication > Certificate Only (machine certificate, configured in xml client profile)

> Authentication to Map Username (computer CN) from Client Certificate

> Authorization using LDAP (AD)

> Authorization LDAP Map | ldap attribute=memberOf / Cisco Attribute Name = group-policy

> memberOf = DN of active directory group containing the computer (computer name = cert CN)

> group-policy = GP-123

the group policy on the tunnel group is "GP-ABC" and the i want users in the AD group to be assigned "GP-123" as per the LDAP attribute map.

As it stands, my machine can connect but the group policy does not change and the machine uses "GP-ABC", which is the one configured on the tunnel group (not the one i want to assign based on group membership).

I can confirm LDAP connectivity to AD is working and i have synced the AD groups i would like to use.

I hope ive explained this clearly. If anyone can offer any insight, that would be great.

thanks

VLAN-0 · ‎03-21-2025

In case anyone else stumbles upon this post:

In my testing, using machine certificate + certificate only authentication with Computer memberof the AD Group, it did not work.

When i changed the setup to user certificate + certificate only authentication, with User memberof the AD Group, it worked.