Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
426
Views
0
Helpful
0
Replies

ASA - Certificate-authenticated AnyConnect/IKEv2 connections not obeying tunnel-group-map

Patrick0711
Level 3
Level 3

‎04-24-2015 01:06 PM - edited ‎02-21-2020 08:12 PM

Hello Everyone,

 

I have the following configuration in place:

 

 

crypto ipsec ikev2 ipsec-proposal INTERIM
 protocol esp encryption aes
 protocol esp integrity sha-1
 
crypto dynamic-map DYNMAP 65535 set pfs group5
crypto dynamic-map DYNMAP 65535 set ikev2 ipsec-proposal INTERIM
crypto dynamic-map DYNMAP 65535 set security-association lifetime seconds 82800

crypto map VPNMAP 65535 ipsec-isakmp dynamic DYNMAP

crypto ca trustpoint vpn.domain.org-TP
 revocation-check crl
 enrollment terminal
 keypair vpn.domain.org-TP
 crl configure
  cache-time 720
 
crypto ikev2 policy 11
 encryption aes
 integrity sha
 group 5
 prf sha
 lifetime seconds 82800
 
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint vpn.domain.org-TP


webvpn
 enable outside
 anyconnect image disk0:/anyconnect-win-3.1.05160-k9.pkg 1
 anyconnect profiles IKEv2 disk0:/ikev2.xml
 anyconnect enable
 

group-policy ANYCONNECT-IKEV2-CESG internal
group-policy ANYCONNECT-IKEV2-CESG attributes
 wins-server none
 dns-server value 1.1.1.1 2.2.2.2
 vpn-session-timeout 1440
 vpn-tunnel-protocol ikev2 ssl-client
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value vpn-split-tunnel
 default-domain value domain.local
 webvpn
  anyconnect modules value vpngina
  anyconnect profiles value IKEv2 type user
 
tunnel-group ANYCONNECT-IKEV2-CESG type remote-access
tunnel-group ANYCONNECT-IKEV2-CESG general-attributes
 address-pool IPPOOL1
 default-group-policy ANYCONNECT-IKEV2-CESG
tunnel-group ANYCONNECT-IKEV2-CESG webvpn-attributes
 authentication certificate

 

 

Also, the default tunnel-group-map configuration is in place:

 

 

no tunnel-group-map enable rules
tunnel-group-map enable ou
tunnel-group-map enable ike-id
tunnel-group-map enable peer-ip
tunnel-group-map default-group DefaultRAGroup

 

 

I am connecting with the following client identity certificate:

 

CN= client1.domain.com

OU= ANYCONNECT-IKEV2-CESG

 

 

I figured that the default tunnel-group-map would take the OU of the client cert and map me to the relevant tunnel-group. Unfortunately, it looks like it lands on the DefaultRAGroup and I'm prompted for local authentication credentials. 

 

If I configure the following certificate map, the connection lands on the correct tunnel-group:

 


crypto ca certificate map CERT-MAP 1
 subject-name attr ou eq anyconnect-ikev2-cesg
 
webvpn
 certificate-group-map CERT-MAP 1 ANYCONNECT-IKEV2-CESG

 

 

Any ideas as to why the connection doesn't follow the logic of the tunnel-group-map's OU matching?

 

Thank you,

Patrick

 

Labels:
0 Helpful
0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents