01-09-2023 05:43 PM
Anyone able to enforce CAC Card login on the FMC? Version 7.0.4-55
I’ve got it working to verify the HTTPS Certificate with users CAC/Token card with user pin and can load the webpage, but for the life of me can’t get it any user able to log into the gui.
I have the user built and external authorization checked.
I can test the SubjectAlternativeName/userPrincipleName and verify it gets assigned to the correct user group role via the FMC external LDAPS groups test with AD.
The fmc audit and syslog just show invalid user and I did a recursive search through the var/logs but not seeing anything that stands out.
We had AD login(LDAPS) working until we enforced CAC cards. I've built a new external login method with CAC enforced. I've tried turning off the original built ldaps groups. Tested on a New FMC with Just the CAC enforced and it lets users type their PIN and then loads the page but just receiving you're not authorized access to the GUI.
We also utilize ISE with the rest of our devices.
Currently we don’t have any FTDs deployed just ASA5545s with SFR modules. So I'm not concerned about any any connectvpn or anything that is directly tied to FTD's.
We do have a realm setup on one of 4 FMC's (Dont ask...lol) with ISE for PXGrid and currently just pulling in identity information. We not using any Identity policies or currently concerned with this.
01-09-2023 06:00 PM
I have a document that spells out how to do this. Let me check if my group will allow me to send it to you in the full or in part.
Be advised that the upgrade to Windows 22H2 may have broken LDAP because we are having issues with our CAC access.
01-09-2023 06:44 PM
Any Help would be appreciated. My last resort is TAC just because half the time I have to spend 3 days re-explaining everything and I'm not in an environment that I can screen share.
I know all the certificates and certificate chains are correct because we did the same process with ISE and it works there...
01-09-2023 07:06 PM
01-09-2023 07:16 PM
I've got access to DoD Safe. I'll send you a PM with my work email.
01-10-2023 01:28 PM - edited 01-10-2023 01:28 PM
We got CAC card working today.
We had all the right certificates, the issue was the Username Template under advanced settings. We were trying to use %s@mil
but we had to use %s"insert any characters after your edipi number"
so example 1222444555q.tok@mil is what shows up in the subject alternate name. we had to have the username template set to %sq.tok@mil
. I have no idea what the regex would look like if you had multiple variations would be if have q.tok, q.tot, etc.
Our Group controlled access roles are split between the different groups based on their tier level and access. Start with full CN=Privelage1-Group,OU=Access_Group,DC=example,DC=com
then nothing selected under default roles,
Then for Group Member Attribute= member
01-10-2023 02:03 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide