Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Anyconnect with 2 group profiles: 1 certificate based, 1 certificate + AAA

I'm trying to set up my anyconnect group policies to allow 2 types of access. 

1 group will be allowed to access certain internal web servers, and are required only to be authenticated using a certificate.  This group is called SSLClient.

The other group will be allowed to access the web servers plus RDP to their desktops, and are required to be authenticated using certificates as well as AAA (which i will authenticate with RSA(SDI)).  This group is called SSLClient2Factor.

The SSLClient group works fine.  But, I can't get the SSLClient2Factor to work right. The connection reverts to using the SSLClient group.  If I configure the SSLClient2Factor group to use "aaa" only, they both work.

Here's a sample of my configuration:

group-policy SSLClientPolicy internal

group-policy SSLClientPolicy attributes

dns-server value x

vpn-idle-timeout none

vpn-session-timeout none

vpn-filter value vpn-filter

vpn-tunnel-protocol svc

split-tunnel-policy tunnelspecified

split-tunnel-network-list value internal-network-vpn

default-domain value x.net

address-pools value SSLClientPool

group-policy SSLClient2FactorPolicy internal

group-policy SSLClient2FactorPolicy attributes

dns-server value x

vpn-idle-timeout none

vpn-session-timeout none

vpn-filter value vpn-filter-2factor

vpn-tunnel-protocol svc

split-tunnel-policy tunnelspecified

split-tunnel-network-list value internal-network

default-domain value x.net

address-pools value SSLClientPool

tunnel-group SSLClientProfile type remote-access

tunnel-group SSLClientProfile general-attributes

default-group-policy SSLClientPolicy

tunnel-group SSLClientProfile webvpn-attributes

authentication certificate

group-alias SSLVPNClient enable

tunnel-group SSLClient2FactorProfile type remote-access

tunnel-group SSLClient2FactorProfile general-attributes

authentication-server-group RSA

default-group-policy SSLClient2FactorPolicy

tunnel-group SSLClient2FactorProfile webvpn-attributes

authentication aaa certificate

group-alias SSLVPNClient2Factor enable

386
Views
0
Helpful
0
Replies
CreatePlease to create content