cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
415
Views
0
Helpful
4
Replies

AnyConnect missing CN info on session table

Joshuskarki
Level 1
Level 1

Hi, 

I am testing anyconnect with certificate based authentication and seems it is working. We use computer based certificate not user based. 

The problem is when I check the session table below, the user's info like CN (computer name or username) is missing and with it, it is hard to tell who this user is.  

Our environment is big and we have our own internal, CA, AD and ACS for further authe and authorization. 

The authorization is performed by ACS. 

My end goal is to deploy always on vpn with certificate based authentication seamlessly and send all the user log-in info to ACS server for logging and monitoring. 

I am also interested in doing double ( two factor) authentication pre-filling both username and password and make it seamless to users connection. 

Can anyone give me a best direction on how? I am not worry about the two factor auth for now but the issue I have below. 

vpn# sh vpn-sessiondb anyconnect

Session Type: AnyConnect

Username     : <Unknown>              Index        : 63

Assigned IP  : 10.99.1.10             Public IP    : 66.151.x.x

Protocol     : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel

License      : AnyConnect Premium

Encryption   : AnyConnect-Parent: (1)none  SSL-Tunnel: (1)RC4  DTLS-Tunnel: (1)AES128

Hashing      : AnyConnect-Parent: (1)none  SSL-Tunnel: (1)SHA1  DTLS-Tunnel: (1)SHA1

Bytes Tx     : 16909                  Bytes Rx     : 2868

Group Policy : DfltGrpPolicy          Tunnel Group : DefaultWEBVPNGroup

Login Time   : 16:04:35 PST Thu Feb 25 2016

Duration     : 0h:00m:07s

Inactivity   : 0h:00m:00s

NAC Result   : Unknown

VLAN Mapping : N/A                    VLAN         : none

Thanks!

Josh

4 Replies 4

Aditya Ganjoo
Cisco Employee
Cisco Employee

Hi,

Could you please share the show version of the VPN server ?

Regards,

Aditya

Ah! I forgot to mention it before: 

Cisco Adaptive Security Appliance Software Version 9.1(6)10

AnyConnect is on version 4.2.01022

Hi,

Did you face this issue before or is it a new setup ?

Regards,

Aditya

New setup. 

This is what I found so far. Our users' computer have 5 certificates installed, each one is for different purpose. Anyconnect picks a cert (client authentication) which doesn't have any Subject information on it by default and being failed to show the details on the session table when a user get authenticated. After changing authentication setting with send all DN info, now on the session table, I can see the full domain name of the computer. 

It is not as expected but at least it is something to see when a user log-in. 

-Josh