02-25-2016 05:08 PM - edited 02-21-2020 08:42 PM
Hi,
I am testing anyconnect with certificate based authentication and seems it is working. We use computer based certificate not user based.
The problem is when I check the session table below, the user's info like CN (computer name or username) is missing and with it, it is hard to tell who this user is.
Our environment is big and we have our own internal, CA, AD and ACS for further authe and authorization.
The authorization is performed by ACS.
My end goal is to deploy always on vpn with certificate based authentication seamlessly and send all the user log-in info to ACS server for logging and monitoring.
I am also interested in doing double ( two factor) authentication pre-filling both username and password and make it seamless to users connection.
Can anyone give me a best direction on how? I am not worry about the two factor auth for now but the issue I have below.
vpn# sh vpn-sessiondb anyconnect
Session Type: AnyConnect
Username : <Unknown> Index : 63
Assigned IP : 10.99.1.10 Public IP : 66.151.x.x
Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License : AnyConnect Premium
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)RC4 DTLS-Tunnel: (1)AES128
Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA1 DTLS-Tunnel: (1)SHA1
Bytes Tx : 16909 Bytes Rx : 2868
Group Policy : DfltGrpPolicy Tunnel Group : DefaultWEBVPNGroup
Login Time : 16:04:35 PST Thu Feb 25 2016
Duration : 0h:00m:07s
Inactivity : 0h:00m:00s
NAC Result : Unknown
VLAN Mapping : N/A VLAN : none
Thanks!
Josh
02-26-2016 04:19 AM
Hi,
Could you please share the show version of the VPN
Regards,
Aditya
02-26-2016 11:11 AM
Ah! I forgot to mention it before:
Cisco Adaptive Security Appliance Software Version 9.1(6)10
AnyConnect is on version 4.2.01022
02-26-2016 07:31 PM
Hi,
Did you face this issue before or is it a new setup ?
Regards,
Aditya
02-27-2016 10:13 PM
New setup.
This is what I found so far. Our users' computer have 5 certificates installed, each one is for different purpose. Anyconnect picks a cert (client authentication) which doesn't have any Subject information on it by default and being failed to show the details on the session table when a user get authenticated. After changing authentication setting with send all DN info, now on the session table, I can see the full domain name of the computer.
It is not as expected but at least it is something to see when a user log-in.
-Josh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide