01-22-2024 11:28 AM
Hello,
I have a Cisco ISR 1111X-8P setup with Ikev2 ipsec vpn with certification authentication. I'm trying to get the anyconnect client to make the user chose which certificate to present to the router in order to pipe them into various internal networks. I have a profile created under C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile\myprofile.xml with the line <AutomaticCertSelection UserControllable="false">false</AutomaticCertSelection> added before my server list. This does not seem to work and windows/anyconnect will select the cert to use automatically.
Kind regards,
Euki
01-22-2024 12:39 PM
Can I ask why you want this ?
MHM
01-22-2024 01:30 PM
Since I'm using client certs to authenticate I'm not sure how else to differentiate the traffic into separate VPNs. I'm trying to use crypto pki certificate maps to match on client cert data to pipe these guys into various ipsec profiles. If there's an easier way to do this I'm all ears. I'm pretty much a novice at cert-based vpns. I have it working now with 2 different certs loaded onto the windows client but anyconnect seems to favor one over the other.
01-22-2024 02:16 PM
By default AnyConnect will cache the thumbprint of the client cert that was used and send it first the next time for auth. This can be disabled in the AnyConnectLocalPolicy file. It is called "Restrict preference caching". Might help your situation.
Restrict Preference Caching
By design, Cisco Secure Client does not cache sensitive information to disk. Enabling this parameter extends this policy to any type of user information stored in the Cisco Secure Client preferences.
Credentials—The user name and second user name are not cached.
Thumbprints—The client and server certificate thumbprints are not cached.
CredentialsAndThumbprints—Certificate thumbprints and user names are not cached.
All—No automatic preferences are cached.
false—All preferences are written to disk (default).
01-26-2024 04:24 PM
Thanks, I was able to get the client to stop caching certs but it still would chose what cert to provide without user intervention.
01-23-2024 07:30 AM
@Spiffyman you can use the IKEV2 name mangler to extra attributes from the client certificates, such as the OU. The extracted OU value can be used for authorising the connections and apply the different connection settings.
Example configuration:-
crypto ikev2 name-mangler NAMEM_OU
dn organization-unit
!
crypto ikev2 profile IKEV2_PROFILE
aaa authorization group cert list FLEX_LOCAL name-mangler NAMEM_OU
!
crypto ikev2 authorization policy ABC
aaa attribute list ABC
route set interface
route set remote ipv4 192.168.1.0 255.255.255.0
!
crypto ikev2 authorization policy DEF
aaa attribute list DEF
In the example above ABC or DEF is the value defined in the OU field on the client certificate, this value is extracted and the corresponding authorisation policy applied, with the unique settings applied to that connection.
01-23-2024 07:47 AM
As @stsargen ( notic he is cisco employee so his answer is superior) mention that cert. Can not select for any vpn.
So we can add one certificate to windows and use
Cert+ local user to make user access to VPN
Now both have same authz here we can assign different authz policy for each user.
I will check user authz policy and update you tonight.
MHM
01-26-2024 04:15 PM
Thank you all for the suggestions. I tried the name-mangler method and edited out my config to match on the domain name of the email string. I then realized I still have the same problem of trying to figure out how to get anyconnect to allow manual intervention for which cert to use when connecting! I have a cert with email string abc and another with def installed on my windows client. How the heck do I get the prompt to pick the cert? Or can I somehow use anyconnect XML profiles to differentiate abc.cert to abcprofile.xml and def.cert to defprofile.xml?
01-26-2024 11:36 PM
@Spiffyman you can use the AnyConnect/Secure Client VPN Profile Editor and use certificate matching to match on the OU field (or EA = Subject Email Address), create multiple different profiles and then select which one upon connection.
Why would the client devices have 2 certificates though? Generally a group of users would be give one certificate, i.e. OU/EA = ABC then the FlexVPN would authorise the user to receive whatever settings apply to ABC users. The other group of users would have the OU/EA = DEF certificate and receive those specific settings.
01-29-2024 02:09 PM
I think the main thing was I was trying to set it up so the VPN would give Group A an address in A network so they can manage those devices. If they connect to Group B VPN they would be able to manage devices in network B. Just trying to keep everything separate. Taking a step back I could just set up routing and firewall rules so when the VPN user connects he/she can access A and B networks. I didn't really think of that! Just gotta keep it really strict so A traffic cannot traverse into B and vice versa if that makes sense.
01-29-2024 02:14 PM
@Spiffyman sure that's straight forward, you just need to distinguish between the users (which can be an attribute in the certificate as above), then authorise the user and assign a different IP pool. Example:
https://integratingit.wordpress.com/2019/03/20/flexvpn-local-authorization/
You can also use a RADIUS server to assign the IP address pool or static IP to the users.
01-27-2024 03:51 AM - edited 01-29-2024 02:08 PM
Yes I know name-mangler classify cert. will not work' you mention in beginning that you can not select cert. To use.
Anyway
My suggestion is based on name-mangler and classify authz using EAP prefix
Thanks
MHM
01-29-2024 02:13 PM
Thank you MHM, I'll need to look into classification using EAP prefix - i'm not familiar with that!
01-29-2024 02:19 PM
Yes check it I dont have lab to test this solution and also there is so little info about it
So using name-mangler
eap prefix xxxxxx
Here the router will use identity of user for authz.
Goodluck friend
MHM
01-27-2024 05:10 AM
What certificate store are you using? is the Certificate you are trying to match on in the store you have selected? Also, if you are using All certificate stores perhaps try specifying the certificate store that the certificate is located in.
<CertificateStore>All</CertificateStore>
<CertificateStoreMac>All</CertificateStoreMac>
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide