Re: Configure secondary-username-from-certificate in FTD?

Chess Norris · ‎07-26-2022

Hello,

I am in the process of migrating ASA code to FTD (7.0.1) but there is one command in the ASA that I cannot figure out where to configure in FMC.

On the ASA I have the following RA VPN settings configured under tunnel-group general-attributes

authorization-required
secondary-username-from-certificate CN

In FMC RA VPN configuration under the "Edit connection profile" and the AAA tab, there is a setting called "Map username from client certificate" but I can not see any option to use "secondary-username-from-certificate"

Anyone know if that's possible?

Thanks

/Chess

Marius Gunnerud · ‎07-26-2022

If the option is not in the GUI then you need to configure it via FlexConfig. But I would suggest testing this in a lab before doing it in production.

--
Please remember to select a correct answer and rate helpful posts

Chess Norris · ‎07-27-2022

@Marius Gunnerud

I tried to find this option in the as a device manager, just to see exactly what's it called there and see if I can find something similar in FMC. The RA VPN parameters use similar names in ASDM and FMC, but I cannot find this option in ASDM either. This option must be available there, since the command is visible in the CLI. Has anyone configured this in ASDM and now where this option is located?

/Chess

Marius Gunnerud · ‎07-28-2022

The ASDM does not support all configuration options for the ASA either. So, if that command is not present it just means it must also be configured using the CLI on the ASA

--
Please remember to select a correct answer and rate helpful posts

Chess Norris · ‎07-29-2022

Yes, you are right about that. I found out that this command is a default command and only visible by the "show run all" command. The reason it was visible in the ASA cli code, was because someone have made a change to the default setting.

/Chess