01-24-2019 01:57 AM
Hi, I've got an anyconnect client vpn configured with authentication utilising LDAP, all working fine with user logging on with their standard firstname.lastname, however I'm trying to set up the log on to utilise the upn, i.e. firstname.lastname@test.co.uk, if on the LAN, users can utilise their upn which indicates that AD is correctly configured to accept that type of log on request, so my query is to confirm if it is actually a change to the firewall that is needed and if so what that may be. There are options to strip of domains etc, these are all set to default.
It may be an AD issue I just can't find anything to indicate what / where the issue is.
Thank you for your assistance
Solved! Go to Solution.
01-24-2019 06:06 AM
If you want to utilize the UPN to login to the AnyConnect client, you can change the LDAP configuration of the ASA to use UPN as the naming attribute instead of sAMAccountName. Usually your ASA ldap configuration looks something like this:
ciscoasa(config-aaa-server-group)#aaa-server LDAP_SRV_GRP (inside) host 192.168.1.2 ciscoasa(config-aaa-server-host)#ldap-base-dn dc=ftwsecurity, dc=cisco, dc=com ciscoasa(config-aaa-server-host)#ldap-login-dn cn=admin, cn=users, dc=ftwsecurity, dc=cisco, dc=com ciscoasa(config-aaa-server-host)#ldap-login-password ********** ciscoasa(config-aaa-server-host)#ldap-naming-attribute sAMAccountName ciscoasa(config-aaa-server-host)#ldap-scope subtree ciscoasa(config-aaa-server-host)#server-type microsoft ciscoasa(config-aaa-server-host)#exit
Change "ldap-naming-attribute sAMAccountName" to "ldap-naming-attribute userPrincipalName" and users should be able to use there UPN instead of firstname.lastname.
GUI based config referenced below:
01-24-2019 06:06 AM
If you want to utilize the UPN to login to the AnyConnect client, you can change the LDAP configuration of the ASA to use UPN as the naming attribute instead of sAMAccountName. Usually your ASA ldap configuration looks something like this:
ciscoasa(config-aaa-server-group)#aaa-server LDAP_SRV_GRP (inside) host 192.168.1.2 ciscoasa(config-aaa-server-host)#ldap-base-dn dc=ftwsecurity, dc=cisco, dc=com ciscoasa(config-aaa-server-host)#ldap-login-dn cn=admin, cn=users, dc=ftwsecurity, dc=cisco, dc=com ciscoasa(config-aaa-server-host)#ldap-login-password ********** ciscoasa(config-aaa-server-host)#ldap-naming-attribute sAMAccountName ciscoasa(config-aaa-server-host)#ldap-scope subtree ciscoasa(config-aaa-server-host)#server-type microsoft ciscoasa(config-aaa-server-host)#exit
Change "ldap-naming-attribute sAMAccountName" to "ldap-naming-attribute userPrincipalName" and users should be able to use there UPN instead of firstname.lastname.
GUI based config referenced below:
01-25-2019 12:23 AM
Hi Rahul, just wanted to thank you for your prompt response and providing the answer to my query, interestingly I had actually tried the UPN element previously but it failed, potentially I copied it incorrectly as I know it's case sensitive. Thanks again for your assistance.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide