Setup
----------
ASA5525-X running ASA-OS 9.8(2)35, configured as a VPN Headend gateway, using Native windoze 10 embedded VPN client.
(This translates into Old school IPSEC Remote Access VPN, but using IKEv2 Policies)
AAA is done using Certificates and LDAP attribute mappings. Also, I'm using CRL, and certificate mappings.
As such the setup is working.
NB: This setup is NOT related to SSL-VPN using AnyConnect !
Issue
----------
The Authorization is done using LDAP integration, where username is derived from the certificate.
Due to company policies, I need to add the lookup, that the username taken from certificate, must match a group membership (memberOf)
This is normally no issue, and is done many places, for user authentication ... BUT in this case its computer accounts, not user accounts, hence the real AD username has a $-sign at the end of the username!
This conflicts with the CN subject field containing the username, as this cannot contain $-sign
Result is that I never get a match, f.ex on joescomputer.example.com, as the AD username for the computer account actually is JOESCOMPUTER$
I want to check if the computer-account located in AD group "Domain Computers", or a different other group for that matter, is present and if its enabled or disabled.
So how to go about this?
- Some ASA trick ?
- Some Certificate trick ?
- Learn LUA ?
- Any MS AD trick ?
Please comment and advice
