FMC CAC Card Login with LDAP - Invalid User

Ketchup57 · ‎01-09-2023

Anyone able to enforce CAC Card login on the FMC? Version 7.0.4-55
I’ve got it working to verify the HTTPS Certificate with users CAC/Token card with user pin and can load the webpage, but for the life of me can’t get it any user able to log into the gui.
I have the user built and external authorization checked.
I can test the SubjectAlternativeName/userPrincipleName and verify it gets assigned to the correct user group role via the FMC external LDAPS groups test with AD.

The fmc audit and syslog just show invalid user and I did a recursive search through the var/logs but not seeing anything that stands out.

We had AD login(LDAPS) working until we enforced CAC cards. I've built a new external login method with CAC enforced. I've tried turning off the original built ldaps groups. Tested on a New FMC with Just the CAC enforced and it lets users type their PIN and then loads the page but just receiving you're not authorized access to the GUI.

We also utilize ISE with the rest of our devices.
Currently we don’t have any FTDs deployed just ASA5545s with SFR modules. So I'm not concerned about any any connectvpn or anything that is directly tied to FTD's.

We do have a realm setup on one of 4 FMC's (Dont ask...lol) with ISE for PXGrid and currently just pulling in identity information. We not using any Identity policies or currently concerned with this.

Eric R. Jones · ‎01-09-2023

I have a document that spells out how to do this. Let me check if my group will allow me to send it to you in the full or in part.

Be advised that the upgrade to Windows 22H2 may have broken LDAP because we are having issues with our CAC access.

Ketchup57 · ‎01-09-2023

Any Help would be appreciated. My last resort is TAC just because half the time I have to spend 3 days re-explaining everything and I'm not in an environment that I can screen share.

I know all the certificates and certificate chains are correct because we did the same process with ISE and it works there...

Eric R. Jones · ‎01-09-2023

Do you have an off line email I can send it to or do you have access to dod
safe?

Ketchup57 · ‎01-09-2023

I've got access to DoD Safe. I'll send you a PM with my work email.

Ketchup57 · ‎01-10-2023

We got CAC card working today.

We had all the right certificates, the issue was the Username Template under advanced settings. We were trying to use %s@mil
but we had to use %s"insert any characters after your edipi number"
so example 1222444555q.tok@mil is what shows up in the subject alternate name. we had to have the username template set to %sq.tok@mil
. I have no idea what the regex would look like if you had multiple variations would be if have q.tok, q.tot, etc.
Our Group controlled access roles are split between the different groups based on their tier level and access. Start with full CN=Privelage1-Group,OU=Access_Group,DC=example,DC=com
then nothing selected under default roles,
Then for Group Member Attribute= member

Eric R. Jones · ‎01-10-2023

Congratulations, and I just sent you a snippet from my document that may
deal with the issue your having on REGEX settings for multiple names that
have different endings.

We use token cards here that is a pain in the butt.

This address a couple of different endings that we will come into contact
with.

Contractors, government and local hires.

Good luck.