Hello Everyone,
I have the following configuration in place:
crypto ipsec ikev2 ipsec-proposal INTERIM
protocol esp encryption aes
protocol esp integrity sha-1
crypto dynamic-map DYNMAP 65535 set pfs group5
crypto dynamic-map DYNMAP 65535 set ikev2 ipsec-proposal INTERIM
crypto dynamic-map DYNMAP 65535 set security-association lifetime seconds 82800
crypto map VPNMAP 65535 ipsec-isakmp dynamic DYNMAP
crypto ca trustpoint vpn.domain.org-TP
revocation-check crl
enrollment terminal
keypair vpn.domain.org-TP
crl configure
cache-time 720
crypto ikev2 policy 11
encryption aes
integrity sha
group 5
prf sha
lifetime seconds 82800
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint vpn.domain.org-TP
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-3.1.05160-k9.pkg 1
anyconnect profiles IKEv2 disk0:/ikev2.xml
anyconnect enable
group-policy ANYCONNECT-IKEV2-CESG internal
group-policy ANYCONNECT-IKEV2-CESG attributes
wins-server none
dns-server value 1.1.1.1 2.2.2.2
vpn-session-timeout 1440
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn-split-tunnel
default-domain value domain.local
webvpn
anyconnect modules value vpngina
anyconnect profiles value IKEv2 type user
tunnel-group ANYCONNECT-IKEV2-CESG type remote-access
tunnel-group ANYCONNECT-IKEV2-CESG general-attributes
address-pool IPPOOL1
default-group-policy ANYCONNECT-IKEV2-CESG
tunnel-group ANYCONNECT-IKEV2-CESG webvpn-attributes
authentication certificate
Also, the default tunnel-group-map configuration is in place:
no tunnel-group-map enable rules
tunnel-group-map enable ou
tunnel-group-map enable ike-id
tunnel-group-map enable peer-ip
tunnel-group-map default-group DefaultRAGroup
I am connecting with the following client identity certificate:
CN= client1.domain.com
OU= ANYCONNECT-IKEV2-CESG
I figured that the default tunnel-group-map would take the OU of the client cert and map me to the relevant tunnel-group. Unfortunately, it looks like it lands on the DefaultRAGroup and I'm prompted for local authentication credentials.
If I configure the following certificate map, the connection lands on the correct tunnel-group:
crypto ca certificate map CERT-MAP 1
subject-name attr ou eq anyconnect-ikev2-cesg
webvpn
certificate-group-map CERT-MAP 1 ANYCONNECT-IKEV2-CESG
Any ideas as to why the connection doesn't follow the logic of the tunnel-group-map's OU matching?
Thank you,
Patrick