Since I'm using client certs to authenticate I'm not sure how else to differentiate the traffic into separate VPNs. I'm trying to use crypto pki certificate maps to match on client cert data to pipe these guys into various ipsec profiles. If there's an easier way to do this I'm all ears. I'm pretty much a novice at cert-based vpns. I have it working now with 2 different certs loaded onto the windows client but anyconnect seems to favor one over the other.

By default AnyConnect will cache the thumbprint of the client cert that was used and send it first the next time for auth.  This can be disabled in the AnyConnectLocalPolicy file.  It is called "Restrict preference caching".  Might help your situation.

• Restrict Preference Caching

• By design, Cisco Secure Client does not cache sensitive information to disk. Enabling this parameter extends this policy to any type of user information stored in the Cisco Secure Client preferences.

  • Credentials—The user name and second user name are not cached.

  • Thumbprints—The client and server certificate thumbprints are not cached.

  • CredentialsAndThumbprints—Certificate thumbprints and user names are not cached.

  • All—No automatic preferences are cached.

  • false—All preferences are written to disk (default).

Thanks, I was able to get the client to stop caching certs but it still would chose what cert to provide without user intervention.

@Spiffyman you can use the IKEV2 name mangler to extra attributes from the client certificates, such as the OU. The extracted OU value can be used for authorising the connections and apply the different connection settings.

Example configuration:-

crypto ikev2 name-mangler NAMEM_OU
 dn organization-unit
!
crypto ikev2 profile IKEV2_PROFILE
 aaa authorization group cert list FLEX_LOCAL name-mangler NAMEM_OU
!
crypto ikev2 authorization policy ABC
 aaa attribute list ABC
 route set interface
 route set remote ipv4 192.168.1.0 255.255.255.0
!
crypto ikev2 authorization policy DEF
 aaa attribute list DEF

In the example above ABC or DEF is the value defined in the OU field on the client certificate, this value is extracted and the corresponding authorisation policy applied, with the unique settings applied to that connection.

As @stsargen ( notic he is cisco employee so his answer is superior) mention that cert. Can not select for any vpn.

So we can add one certificate to windows and use

Cert+ local user to make user access to VPN

Now both have same authz here we can assign different authz policy for each user.

I will check user authz policy and update you tonight.

MHM

@Spiffyman you can use the AnyConnect/Secure Client VPN Profile Editor and use certificate matching to match on the OU field (or EA = Subject Email Address), create multiple different profiles and then select which one upon connection.

Why would the client devices have 2 certificates though? Generally a group of users would be give one certificate, i.e. OU/EA = ABC then the FlexVPN would authorise the user to receive whatever settings apply to ABC users. The other group of users would have the OU/EA = DEF certificate and receive those specific settings.

I think the main thing was I was trying to set it up so the VPN would give Group A an address in A network so they can manage those devices. If they connect to Group B VPN they would be able to manage devices in network B. Just trying to keep everything separate. Taking a step back I could just set up routing and firewall rules so when the VPN user connects he/she can access A and B networks. I didn't really think of that! Just gotta keep it really strict so A traffic cannot traverse into B and vice versa if that makes sense.

@Spiffyman sure that's straight forward, you just need to distinguish between the users (which can be an attribute in the certificate as above), then authorise the user and assign a different IP pool. Example:

https://integratingit.wordpress.com/2019/03/20/flexvpn-local-authorization/

You can also use a RADIUS server to assign the IP address pool or static IP to the users.

Yes I know name-mangler classify cert. will not work' you mention in beginning that you can not select cert. To use.

Anyway 

My suggestion is based on name-mangler  and classify authz using EAP prefix

Thanks 

MHM

Thank you MHM, I'll need to look into classification using EAP prefix - i'm not familiar with that!

Yes check it I dont have lab to test this solution and also there is so little info about it 

So using name-mangler 

eap prefix xxxxxx

Here the router will use identity of user for authz.

Goodluck friend 

MHM