Certificate mapping to anyconnect tunnel-group II. – Special mapping

Posted on August 22, 2011


The users connects with Anyconnect client with IPSec to the ASA firewall.
Lets say we have 2 Certificate Authorities (with the issuername IssuerA and IssuerB) and the users are mapped to tunnel-groups according to the issuer.
A user called Terry Wood needs SSL as he works in a Hotel and the local proxy enables only http or https (and dns).
Terry has a certificate from IssuerB.
The question is: How can we map one user to an anyconnect profile that has ssl as the primary protocol and not IPSec?


This is the path the config should work:

user certificate -> certificate map -> tunnel group -> group policy -> anyconnect profile -> xml file that holds the config for the Protocol.


certificate map

The better understand the config here, lets check out the 2 tables:

Table 1.

crypto-ca-cert-map mode commands/options:
c Country
cn Common Name
dc Domain Component
dnq DN Qualifier
ea Email Address
genq Generational Qualifier
gn Given Name
i Initials
ip IP Address
l Locality
n Name
o Organization Name
ou Organizational Unit
ser Serial Number
sn Surname
sp State/Province
t Title
uid User ID
uname Unstructured Name

Table 2.

crypto-ca-cert-map mode commands/options:
co Contains
eq Equal
nc Does not contain
ne Not Equal

The configuration:

crypto ca certificate map MyCM1 1
issuer-name attr cn co IssuerA
crypto ca certificate map MyCM1 2
issuer-name attr cn co IssuerB
subject-name nc terry wood
crypto ca certificate map MyCM2 1
issuer-name attr cn co IssuerB
subject-name co terry wood


anyconnect profiles AnyconnectProfileIPSec disk0:/AnyconnectProfile.xml
anyconnect profiles AnyconnectProfileSSL disk0:/AnyconnectProfileSSL.xmlcertificate-group-map MyCM1 1 AnyconnectIPSec
certificate-group-map MyCM1 2 AnyconnectIPSec
certificate-group-map MyCM2 1 AnyconnectSSL


tunnel-group AnyconnectIPSec type remote-access
tunnel-group AnyconnectIPSec general-attributes
address-pool vpn-pool1
default-group-policy MyPolicyIPSec
tunnel-group AnyconnectIPSec webvpn-attributes
authentication certificatetunnel-group AnyconnectSSL type remote-access
tunnel-group AnyconnectSSL general-attributes
address-pool vpn-pool2
default-group-policy MyPolicySSL
tunnel-group AnyconnectSSL webvpn-attributes
authentication certificate


group-policy MyPolicySSL internal
group-policy MyPolicySSL attributes
vpn-tunnel-protocol ssl-client ssl-clientless
anyconnect profiles value AnyconnectProfileSSL type usergroup-policy MyPolicyIPSec internal
group-policy MyPolicyIPSec attributes
vpn-tunnel-protocol ikev1 ikev2 ssl-client ssl-clientless
anyconnect profiles value AnyconnectProfileIPSec type user
Posted in: ASA, Cisco, Security, VPN