cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1562
Views
15
Helpful
2
Replies
Highlighted
Beginner

Anyconnect VPN - Logon with UPN

Hi, I've got an anyconnect client vpn configured with authentication utilising LDAP, all working fine with user logging on with their standard firstname.lastname, however I'm trying to set up the log on to utilise the upn, i.e. firstname.lastname@test.co.uk, if on the LAN, users can utilise their upn which indicates that AD is correctly configured to accept that type of log on request, so my query is to confirm if it is actually a change to the firewall that is needed and if so what that may be. There are options to strip of domains etc, these are all set to default.

It may be an AD issue I just can't find anything to indicate what / where the issue is.

Thank you for your assistance

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
VIP Advocate

If you want to utilize the UPN to login to the AnyConnect client, you can change the LDAP configuration of the ASA to use UPN as the naming attribute instead of sAMAccountName. Usually your ASA ldap configuration looks something like this:

ciscoasa(config-aaa-server-group)#aaa-server LDAP_SRV_GRP (inside) 
   host 192.168.1.2
ciscoasa(config-aaa-server-host)#ldap-base-dn dc=ftwsecurity, dc=cisco, dc=com
ciscoasa(config-aaa-server-host)#ldap-login-dn cn=admin, cn=users, dc=ftwsecurity, dc=cisco, dc=com
ciscoasa(config-aaa-server-host)#ldap-login-password **********
ciscoasa(config-aaa-server-host)#ldap-naming-attribute sAMAccountName
ciscoasa(config-aaa-server-host)#ldap-scope subtree
ciscoasa(config-aaa-server-host)#server-type microsoft
ciscoasa(config-aaa-server-host)#exit

 

Change "ldap-naming-attribute sAMAccountName" to "ldap-naming-attribute userPrincipalName" and users should be able to use there UPN instead of firstname.lastname. 

 

GUI based config referenced below:

 

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98625-asa-ldap-authentication.html

 

View solution in original post

2 REPLIES 2
Highlighted
VIP Advocate

If you want to utilize the UPN to login to the AnyConnect client, you can change the LDAP configuration of the ASA to use UPN as the naming attribute instead of sAMAccountName. Usually your ASA ldap configuration looks something like this:

ciscoasa(config-aaa-server-group)#aaa-server LDAP_SRV_GRP (inside) 
   host 192.168.1.2
ciscoasa(config-aaa-server-host)#ldap-base-dn dc=ftwsecurity, dc=cisco, dc=com
ciscoasa(config-aaa-server-host)#ldap-login-dn cn=admin, cn=users, dc=ftwsecurity, dc=cisco, dc=com
ciscoasa(config-aaa-server-host)#ldap-login-password **********
ciscoasa(config-aaa-server-host)#ldap-naming-attribute sAMAccountName
ciscoasa(config-aaa-server-host)#ldap-scope subtree
ciscoasa(config-aaa-server-host)#server-type microsoft
ciscoasa(config-aaa-server-host)#exit

 

Change "ldap-naming-attribute sAMAccountName" to "ldap-naming-attribute userPrincipalName" and users should be able to use there UPN instead of firstname.lastname. 

 

GUI based config referenced below:

 

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98625-asa-ldap-authentication.html

 

View solution in original post

Highlighted

Hi Rahul, just wanted to thank you for your prompt response and providing the answer to my query, interestingly I had actually tried the UPN element previously but it failed, potentially I copied it incorrectly as I know it's case sensitive. Thanks again for your assistance.