cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Webcast SD-WAN
68
Views
0
Helpful
0
Replies
Highlighted
Contributor

Help Requested - Start Before Login - With Guidelines

I'm trying to enable start before login with the following constraints and finding it difficult...

  1. SBL profile should not be visible to user when in user context of OS or should be the same profile.
  2. Clientless users must not be prompted for a certificate.
  3. Usernames must be prefilled from certificate for user context connections.

So I figured I could build a unified client profile for users then on auth I could pass back a different connection profile via RADIUS that I could setup to allow different levels of access based on machine cert + user auth vs user cert + user auth. Then there wouldn't be a different user experience on available profiles, that would satisfy #1.

At first I thought I'd do a simple cert map, but this violated #2, as unmanaged devices started getting prompted for certificates.

Then I thought I could play with a lua script to kick back a username if it was a user cert or prompt for the user name if it was a machine cert, asa didn't seem to like returning a nil value, and an empty string didn't help either. Maybe I did it wrong?

LUA:
local CN = string.lower(cert.subject.cn)
local EA = string.lower(cert.subject.ea)
if (string.find(EA, "@mydomain.com") ~= nil) then
return CN
end
return nil

 

Has anyone else solved this?