cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
781
Views
1
Helpful
8
Replies

Lock AnyConnect profile to specific certificate

Crag Muer
Level 1
Level 1

I have multiple AnyConnect connection profiles for various remote users that provide access to different internal networks. The authentication method needs to be certificate only, but there doesn't seem to be a way to prevent an issued certificate holder from accessing other connection profiles. For example, if I issue a certificate for connection profile A, that certificate holder can then access connection profile A and B. Is there a way I can lock connection profile A to certificate A?

1 Accepted Solution

Accepted Solutions

@Crag Muer, I'm sorry to say that neither URL lists, nor AnyConnect profiles will help you achieve what you want.

You need to configure mapping of user certs to firewall connection profiles with certificate maps. This is straightforward, e.g.

crypto ca certificate map TEST 10
 subject-name attr cn co user1

webvpn
 certificate-group-map TEST 10 <connection-profile-name>

This can be done from GUI too. You can put multiple mapping rules under "webvpn".

URL lists are just connection links. One user can tell the other the URL he uses, so the other one will paste it into the AnyConnect "Connect to" box (unless manual URL entry is disabled in the AnyConnect profile) and connect successfully (unless you use authorization rules on ISE which check which connection profiles are allowed for the user). In other words, URL lists themselves do not provide linkage between user certificates and connection profiles the user is allowed to connect to. Certificate maps do.

 

 

View solution in original post

8 Replies 8

I've been trying to get certificate matching working but when I configure profile A to match the CN for certificate A and profile B to match the CN for certificate B it doesn't seem to do anything. I can still connect to both AnyConnect profiles thereby allowing 2 different end-users to connect to each others profiles defeating the whole purpose of having separate authentications.

Perhaps I'm doing something wrong in the configuration but it seems pretty straight forward.

Share config you use 

MHM

I thinking about your case from yesterday, 

I think solution is 

Use url list under the tunnel group and the public IP - DNS name is use in cert of user and FW

MHM

Where do I find the URL list under the tunnel group for AnyConnect?

@Crag Muer, I'm sorry to say that neither URL lists, nor AnyConnect profiles will help you achieve what you want.

You need to configure mapping of user certs to firewall connection profiles with certificate maps. This is straightforward, e.g.

crypto ca certificate map TEST 10
 subject-name attr cn co user1

webvpn
 certificate-group-map TEST 10 <connection-profile-name>

This can be done from GUI too. You can put multiple mapping rules under "webvpn".

URL lists are just connection links. One user can tell the other the URL he uses, so the other one will paste it into the AnyConnect "Connect to" box (unless manual URL entry is disabled in the AnyConnect profile) and connect successfully (unless you use authorization rules on ISE which check which connection profiles are allowed for the user). In other words, URL lists themselves do not provide linkage between user certificates and connection profiles the user is allowed to connect to. Certificate maps do.

 

 

That was exactly what I needed, thank you so much for pointing that out!

 

MHM