Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cisco AnyConnect - Certificate Authentication with LDAP group lookup


I am trying to setup a remote access solution using Cisco AnyConnect. My scenario is as follows: 

- I have 3 different classes of users (defined by group polices on the ASA). Each group gets an IP address from one of 3 available pools

- These 3 ASA groups are mapped to 3 different LDAP groups. Meaning, a domain user belonging a specific LDAP group maps to his respective ASA group.

- The user authentication is certificate based (no username and password)

- I have created only 1 tunnel-group, with the default group policy applied. This was done so that there is no specific group-policy is explicity applied to the tunnel group. As I have 3 group policies and based on which LDAP user connects, he will get his specific group policy settings from the ASA.


The solution works 100% when I use username/password authentication. A LDAP user gets mapped to his specific group-policy on the ASA and get an IP address from his pool.


When I change the authentication to certificate based, the solutions does not work. I get an error whereby the ASA is not able to assign an IP address to the user. I see that the certificate is authenticated correctly, however at the last part of address assignment, it fails. 

I think the issue is that the LDAP group lookup fails when the authentication is certificate based. I am no LDAP expert, so I am not sure if the LDAP-to-ASA Group mapping only works if the authentication is username/password based. 

Can anybody shed some light on this?




Hall of Fame Super Silver

How are you ascertaining the

How are you ascertaining the LDAP group assignment without LDAP authentication - pulling it from the certificate using certificate to profile mapping?

If so, that should work, assuming you have the "address-pools value _____" under each "group-policy _____ attributes" section.

New Member

Hi Marvin,I cannot ascertain

Hi Marvin,

I cannot ascertain LDAP group assignment with LDAP authentication when using certificates though. All I can confirm is that the certificate is validated, hence the VPN session is established. It seems like the LDAP mapping to RADIUS class is not happening when using certificates.

Remember, I am using the using the DfltGrpPolicy under the tunnel-group; the user must gets his IP address from his specific group policy which is mapped to the LDAP groups. The IP address assignment fails as the ASA cannot tie this mapping toegather when certificates are being used.

I am not sure if this mapping should include additional fields when certificates are being used.

My LDAP attribute mapping looks something like this:

map-value memberOf "CN=ZA-SG COS GOLD,CN=Users,DC=xxx,DC=com" GRP-GOLD


    Group-Policy on ASA: GRP-GOLD

You mention certificate to profile mapping - is this done differently from my mapping above?




New Member

Hi :) Dont know if you

Hi :)


Dont know if you managed to get this working, but if u are still interested I have :)


What u need to do is enable LDAP Authorization in addition to certificate authentication.

U need to create a LDAP server group, as u would with regular LDAP authentication. 

Then u specify this in the authorization section in the connection profile.

Then u need to get the username from the certificate.

This is done by selecting "use script to select username"

click Add and in the new window just select script parameters and select value for Username: User Principal Name (UPN) and No filtering.


Now u should be able to extract the group memebership from the user in AD and assign the correct group policy based on this information with a regular LDAP attribute mapping.

Worked for me :)


Forgot to mention that the LDAP server definition needs to have the Naming Attribute: userPrincipalName and not the usual sAMAccountName, since u are sending UPN (user@company.local) to the LDAP servers.



New Member

Hello friends Allow me to

Hello friends


Allow me to resurrect this old post. I currently got an anyconnect profile authenticated through  ASA local CA Server, so I must manually generate the user on ASA and then the user is able to request certificate from it´s anyconnect client mobile device.


I must implement failover, but it doesn´t work when ASA si making local CA Server. So I know that I must change to an external CA, the question is if is it possible such as to combine ldap authentication (so I won´t create local users anymore) and certificate authentication?


Best Regards!