Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3125
Views
0
Helpful
0
Replies

AnyConnect tunnel-groups not showing up in all ACclient dropdowns

treimers1
Level 1
Level 1

‎12-13-2012 02:07 PM - edited ‎02-21-2020 06:33 PM

Hi everyone -

I'm having a problem with an AnyConnect configuration -

Summary of the problem:

One client PC can see both tunnel-groups (profiles)

that are available from the ASA, and the other PC cannot.

The PC that cannot see all profiles has had the AC client un/re installed, to see if an update occurs.

Configuration on the ASA appears to be identical for both tunnel-groups.

Details:

I have AnyConnect Essentials and Mobility licensed (demo) on a 5505, running 8.2 code.

Clients are using AC 3.1

(and have had this same problem with 2.4, 2.5)

I'm not doing any browser based VPN access - using only manually installed AnyConnect clients.

I have two tunnel-groups and tunnel-group policies configured.

Tunnel-Group 1  uses AD authentication

Tunnel-group 2  uses certificate authentication.

I have two test clients - both Windows 7.

On one Win7 machine, which is NOT joined to the domain,

when I 'select' the VPN server, the PC connects to the VPN server

and then they next screen shows me

the profile that uses AD authentication, and pre-populates the username.

Enter a valid AD password, and the VPN launches successfully.

On that same Win7 machine, the dropdown for the VPN profile to be used

shows the certificate profile, and there are no boxes to enter anything into.

Choose connect, and the tunnel establishes.

(I created a User certificate, and imported the RootCA and intermediate CA certificates from my Microsoft CA at work)

So here's the problem -

The second PC, which is a Windows 7 client.

does _not_  show that certificate VPN profile.

Ever.
It's joined to the domain, so I expect that if I can ever get it to

see the profile for certificate authentication, it will just

flat out work. No manual import of certificates needed.

So why does one PC "learn" about the new certificate based profile, and the other PC

not learn about the profiles?

When the first PC had AnyConnect installed, there was only the AD profile

on the ASA, and the AC client only saw that one.

The minute I added the cert profile, the one PC "learned" that profile.

The second PC did not.

Logged in user is an Administrator on both computers, btw - so I don't think it's local-rights based.

I guess I don't understand what the mechanism is that provides/updates

the AnyConnect client on a remote PC

with information about what tunnel-groups/profiles

are available on the ASA it's connecting to ??

Here's some snippets to show you how I've got this configured.

If you need other lines, just ask.

Obviously, names/addresses changed to protect the not-so-innocent ;-)

webvpn
enable outside
anyconnect-essentials
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1

svc image disk0:/anyconnect-win-3.0.5080-k9.pkg 2

svc enable
tunnel-group-list enable

group-policy MyTest-sslvpn-gp internal
group-policy MyTest-sslvpn-gp attributes
dns-server value 192.168.0.20 192.168.0.6
vpn-tunnel-protocol svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value MyTest-sslvpn-nonat
default-domain value oursite.local

group-policy MyTestsslcert-gp internal
group-policy MyTestsslcert-gp attributes
dns-server value 192.168.0.20 192.168.0.6
vpn-tunnel-protocol svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value MyTest-sslvpn-nonat
default-domain value oursite.local
address-pools value MyTest-SSLVPN198

group-policy MyTest-SSLVPN internal
group-policy MyTest-SSLVPN attributes
vpn-tunnel-protocol svc
webvpn
  svc keep-installer installed

tunnel-group mytest-SSLVPN type remote-access
tunnel-group mytest-SSLVPN general-attributes
address-pool mytest-SSLVPN198
authentication-server-group mytest-Radius LOCAL
default-group-policy mytest-sslvpn-gp
tunnel-group mytest-SSLVPN webvpn-attributes
radius-reject-message
group-alias mytestsslvpn enable
group-url https://a.b.c.d/mytestsslvpn enable

tunnel-group mytestsslcert type remote-access
tunnel-group mytestsslcert general-attributes
default-group-policy mytestsslcert-gp
username-from-certificate use-entire-name
tunnel-group mytestsslcert webvpn-attributes
authentication certificate
radius-reject-message
group-alias mytestsslcert enable
group-url https://a.b.c.d/mytestsslcert enable

1 person had this problem
Labels:
0 Helpful
0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents