Solved: Anyconnect Parsing certificate username incorrectly

danbryan80 · ‎06-03-2013

Can anyone help me figure out why my "sh vpn-sessiondb anyconnect" doesn't parse the username properly. Here is a picture of what its doing, and what I'm expecting.

It's saying "Users" instead of "Dan Bryan"

I am using the default Microsoft Users certificate template.

Jatin Katyal · ‎06-06-2013

Sorry my system crashed so no access to emails. I would like you to try a command username-from-certificate cn under webvpn attributes.

Sent from Cisco Technical Support Android App

~Jatin

View solution in original post

Jatin Katyal · ‎06-03-2013

Can you paste the output of show run tunnel-group

Jatin Katyal
- Do rate helpful posts -

~Jatin

danbryan80 · ‎06-04-2013

asa# show run tunnel-group Securesub

tunnel-group Securesub type remote-access

tunnel-group Securesub general-attributes

address-pool VPN_POOL

authentication-server-group SECURESUB_LDAP LOCAL

default-group-policy Securesub

tunnel-group Securesub webvpn-attributes

authentication certificate

group-alias Se3curesub disable

group-alias Securesub enable

danbryan80 · ‎06-06-2013

Bump... Any ideas on this?

Jatin Katyal · ‎06-06-2013

Sorry my system crashed so no access to emails. I would like you to try a command username-from-certificate cn under webvpn attributes.

Sent from Cisco Technical Support Android App

~Jatin

danbryan80 · ‎06-07-2013

It doesn't seem like you can issue that command under webvpn-attributes, but I was able to do it under general-attributes. I logged off and back onto the VPN, and it still shows as Users

asa(config)# show run tunnel-group Securesub

tunnel-group Securesub type remote-access

tunnel-group Securesub general-attributes

address-pool VPN_POOL

authentication-server-group SECURESUB_LDAP LOCAL

default-group-policy Securesub

username-from-certificate CN

tunnel-group Securesub webvpn-attributes

authentication certificate

group-alias Securesub enable

asa(config)# tunnel-group Securesub general-attributes

asa(config-tunnel-general)# username-from-certificate cn

asa(config-tunnel-general)# sh vpn-sessiondb anyconnect

Session Type: AnyConnect

Username : Users Index : 176

Assigned IP : x.x.x.x Public IP : x.x.x.x

Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel

License : AnyConnect Essentials

Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)RC4 DTLS-Tunnel: (1)AES128

Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA1 DTLS-Tunnel: (1)SHA1

Bytes Tx : 174804 Bytes Rx : 87313

Group Policy : Securesub Tunnel Group : Securesub

Login Time : 10:16:24 EDT Fri Jun 7 2013

Duration : 0h:03m:52s

Inactivity : 0h:00m:00s

NAC Result : Unknown

VLAN Mapping : N/A VLAN : none

danbryan80 · ‎06-07-2013

I changed it to:

username-from-certificate use-entire-name

and it gave me the following output which is acceptable.

Username : e=Dan.Bryan@securesub.net,cn=Dan Bryan,cn=Users,dc=securesub,dc=net

I would still prefer for it to just say "Dan Bryan" but it looks like having 2 CN's is throwing it off.

Thanks