Thanks for your time and support Javier!!!  That was what I did before I posted my question.  It was not working, TunnelGroup B connection did not come up.

tunnel-group TunnelGroup B general-attributes

authentication-server-group SSL-VPN

!

tunnel-group TunnelGroup B webvpn-attributes

authentication aaa

btw, the "default-authentication-server" command is not available, however, "authentication-server" is available under general-attributes.  I am using 8.4(2)

(config-tunnel-general)# default-authentication-server SSL-VPN

                                               ^

ERROR: % Invalid input detected at '^' marker.

Any other idea to make this work?  Thanks Joe

Hi Joe,

I am sorry, that was a typo!

On the other hand, we need debugs to analize the issue.

Could you please attach the following ouput during the connection attempt?

debug aaa common 254

debug radius all

debug webvpn svc 254

Thanks.

Portu.

Hi Javier, 

Thank again for your inputs and comments.  Actually, the config does work, I found a problem on group-policies once I fixed that it works fine.

Questions:  now that the config is working, but how does ASA know to map incoming traffic to which tunnel-group?  I tried using "Certificate to SSL VPN Connection Profile Maps" but it is not clear to me how this works?

For example:

(1) If I want to map incoming traffic with "Certificate' to tunnel-group A;

(2) if I want to map incoming traffic without "Certificate" to tunnel-group B,

How to do that?

Thanks

Joe 

Hi Joe,

That's a good question

There are two ways:

1- You could use a group-url or a group-alias to identify each connection profile, so the clients will connect directly to the specific tunnel-group. Then the ASA looks for a valid Root certificate to validate the client's certificate, if it is valid certificate then the connection will be allowed.

2- You could use certificate mapping. So you set up something like this:

CA 1: Issued by a.

CA 2: Issued by b.

tunnel-group AnyConnect_IT webvpn-attributes

     authentication certificate

!

tunnel-group AnyConnect_Public webvpn-attributes

     authentication certificate

!

crypto ca certificate map CERT_MAP 10

issuer-name attr cn eq a

!

crypto ca certificate map CERT_MAP 20

issuer-name attr cn eq b

!

webvpn

enable outside

anyconnect image flash:/anyconnect-win-3.1.01065-k9.pkg

anyconnect enable

certificate-group-map CERT_MAP 10 AnyConnect_IT

certificate-group-map CERT_MAP 20 AnyConnect_Public

So when the client connects, the ASA will check in the "issuer-name" attribute in the Root certificate and will associate it to the correct tunnel-group.

Let me know if you have any further questions.

Portu.

In case that you dont want to use a certificate:

tunnel-group AnyConnect_IT webvpn-attributes

     authentication certificate

!

tunnel-group AnyConnect_Public webvpn-attributes

     authentication aaa

     group-alias Public enable

So they will connect directly to the tunnel-group named Public.

Thanks Javier!

If i use "group-alias Public enable' in your example, the user will need to "select' the group from drop-down list when they login via a clientless vpn session, right?

My end goal is that user doesn't need to make any selection when they login to ASA.  If incoming traffic is "certificate" based, it will land on tunnel-group A and if it is not a "certificate" based then it will land on tunnel-group B.  Can it be done?

I know group-url may work, (user needs to type in the "whole" url address) but i would like to hear your inputs.

Thanks

Joe

Great idea Javier!  thanks.  Digging into a little deep in here.  Is there a way to build an Access-List to filter specified VPN traffic (allow or deny) inisde the tunnel-group?  and how to do it?  btw, i am tunnel-all traffic inside the VPN.  many thanks  Joe

You are the man Javier!!!  For now, I am good.  Many thanks  Joe

You are very welcome!!

Take care man