Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA DefaultRAGroup and DefaultWEBVpnGroup

I am currently implementing a 5545-X using firmware 9.1.4 with a remote access configuration. I have a requirement to enable a full client SSL VPN (AnyConnect) for managed clients and a clientless webportal for other (unmanaged) clients (BYOD). I created 2 profiles, a managed profile with a managed policy, an unmanaged policy for BYOD devices. The managed profile uses a group policy that allows client ssl VPN, the unmanaged profile uses a group policy the allows clientless ssl only. Furthermore I have the defaultWEBVpnGroup and defaultRAgroup. DefaultWEBVpnGroup also uses the unmanaged policy, defaultRAgroup uses the managed policy.

Profile selection is based on certificate mapping. The managed client has a client certificate that is matched and then mapped to the managed connection profile. The rest falls back to the default. For clientless connections this all works as expected.

The problem though is that somehow I am also able to use AnyConnect in the same manner. When I use AnyConnect on a BYOD device and connect to the default URL (no group-url) I am also prompted with the authentication dialogue used for the unmanaged clients. It turns out that AnyConnect uses the DefaultWEBVpnGroup even though that has been disabled for client SSL.

My questions:

Why is AnyConnect using the defaultWEBVpnGroup when this is disabled for client SSL?

Why isn't AnyConnect using the defaultRAGroup?

Bottom line is that I do not want BYOD even getting a login dialogue. The managed profile should kick in (configured in defaultRAGroup) and this should deny them.

Hope someone has an idea what I am doing wrong ;)

All the best, Rene