cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1635
Views
1
Helpful
3
Replies

WebVPN Logged Username

Jonathan Tomlin
Level 1
Level 1

Curious if anyone could offer some insight into my currnet predicament.

When using both a primary and secondary username and password with web vpn, the primary username is the reported value in syslog and other monitoring facilities.  Is there a way to use the secondary username as the reported value.

I'm using the extended factor authentication to protect the Active Directory accounts from a lock-out attack.  The primary auth is checked against local accounts and the secondary is checked against Active Directory.  The local accounts are generic so that they can be handed out to groups, but that does not provide the needed who, what, and when within the syslogs and monitoring tools on the ASDM for each unique user.

Currently the login portal is displayed as such:

Method: (Drop list - > Client, Browser)

Group: (Local Account Name)

Phrase: (Local Account Password)

Username: (AD Username) <--  I want to use this value as the reported/logged username

Password: (AD Password)

"submit button"

3 Replies 3

Mohamed Sobair
Level 7
Level 7

Hi,

If your requirement is to add authentication server to the Security appliance instead of the user local database, then

This could be accomplished by using your Active directory as an Authentication method for the WebVPN group.

To elaborate more, on the Group Policy WebVPN , just add the following:

authentication-server-group (name)


you should have your Aughenticatios server known by the Security apliance as well.

Regards,

Mohamed

Perhaps I did not specify my issue as clearly as I could have.

I am doing both local authentication as well as AD authentication.  This is working without issue.

My issue is in regards to how the ASA logs messages and reports currently connected users on vpn.  It uses the local username rather than the AD username.  I'm curious to know if there is a way in which, given my current configuration, to use the AD username (secondary auth username) instead.

For example:

LOCAL username example = vpngroup1

AD username example = john.smith  <-- this is better

Thanks!

Jonathan Tomlin
Level 1
Level 1

Figured it out, but the my issue ended up being the ASDM.

The commands required are as follows:

authentication-attr-from-server secondary

authenticated-session-username secondary

Both commands are applied under:

tunnel-group [profile name] general-attributes

The problem is that these two radio options in the ASDM will not be applied UNLESS you also toggle the box that uses the primary username as the secondary username.   That obviously would not work for me in my given environment since the LOCAL and AD usernames are not the same; however it can be worked around.  Either enter the two command manually through CLI, or just toggle the checkbox as requried to issue the commands as needed.

After checking the box "Use primary username (Hide secondary username on login page)" and switching both radio options "Attributes Server:" and "Session Username Server" to secondary, it applied the previously mentioned commands.  This however will not work, as I then lost my other username textbox on the portal page.

At this point I simply unchecked the "Use primary username (Hide secondary username on login page)" checkbox and applied the changes. The ASDM only issued the command:

tunnel-group [profile name] general-attributes

no secondary-authentication-server-group [AAA GROUP] use-primary-username

Thus leaving:
tunnel-group [profile name] general-attributes

authentication-attr-from-server secondary

authenticated-session-username secondary

This has to be a bug of some sort.  I'm using 8.4 and ASDM 6.4.

Attached is a small screenshot for clarity.

Find these settings under:

(ASDM Window)

Configuration -> Remote Access VPN -> Clientless/Client Access -> Connection Profiles -> [Choose Profile] -> Click "Edit"

(New ASDM Window)

Extend Advanced -> Select "Secondary Authentication"

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: