Solved: Re: Lock AnyConnect profile to specific certificate

Crag Muer · ‎04-22-2024

I have multiple AnyConnect connection profiles for various remote users that provide access to different internal networks. The authentication method needs to be certificate only, but there doesn't seem to be a way to prevent an issued certificate holder from accessing other connection profiles. For example, if I issue a certificate for connection profile A, that certificate holder can then access connection profile A and B. Is there a way I can lock connection profile A to certificate A?

tvotna · ‎04-24-2024

@Crag Muer, I'm sorry to say that neither URL lists, nor AnyConnect profiles will help you achieve what you want.

You need to configure mapping of user certs to firewall connection profiles with certificate maps. This is straightforward, e.g.

crypto ca certificate map TEST 10
 subject-name attr cn co user1

webvpn
 certificate-group-map TEST 10 <connection-profile-name>

This can be done from GUI too. You can put multiple mapping rules under "webvpn".

URL lists are just connection links. One user can tell the other the URL he uses, so the other one will paste it into the AnyConnect "Connect to" box (unless manual URL entry is disabled in the AnyConnect profile) and connect successfully (unless you use authorization rules on ISE which check which connection profiles are allowed for the user). In other words, URL lists themselves do not provide linkage between user certificates and connection profiles the user is allowed to connect to. Certificate maps do.

View solution in original post

Aref Alsouqi · ‎04-23-2024

Have you looked at "Certificate Matching" in AnyConnect profile? that should do the trick.

Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 4.0 - The AnyConnect Profile Editor [Cisco Secure Client (including AnyConnect)] - Cisco

Crag Muer · ‎04-24-2024

I've been trying to get certificate matching working but when I configure profile A to match the CN for certificate A and profile B to match the CN for certificate B it doesn't seem to do anything. I can still connect to both AnyConnect profiles thereby allowing 2 different end-users to connect to each others profiles defeating the whole purpose of having separate authentications.

Perhaps I'm doing something wrong in the configuration but it seems pretty straight forward.

MHM Cisco World · ‎04-24-2024

Share config you use

MHM

MHM Cisco World · ‎04-23-2024

I thinking about your case from yesterday,

I think solution is

Use url list under the tunnel group and the public IP - DNS name is use in cert of user and FW

MHM

Crag Muer · ‎04-24-2024

Where do I find the URL list under the tunnel group for AnyConnect?

tvotna · ‎04-24-2024

@Crag Muer, I'm sorry to say that neither URL lists, nor AnyConnect profiles will help you achieve what you want.

You need to configure mapping of user certs to firewall connection profiles with certificate maps. This is straightforward, e.g.

crypto ca certificate map TEST 10
 subject-name attr cn co user1

webvpn
 certificate-group-map TEST 10 <connection-profile-name>

This can be done from GUI too. You can put multiple mapping rules under "webvpn".

URL lists are just connection links. One user can tell the other the URL he uses, so the other one will paste it into the AnyConnect "Connect to" box (unless manual URL entry is disabled in the AnyConnect profile) and connect successfully (unless you use authorization rules on ISE which check which connection profiles are allowed for the user). In other words, URL lists themselves do not provide linkage between user certificates and connection profiles the user is allowed to connect to. Certificate maps do.

Crag Muer · ‎04-24-2024

That was exactly what I needed, thank you so much for pointing that out!

MHM Cisco World · ‎04-24-2024

MHM