09-27-2022 11:38 AM
I am having an issue with using a smart card (SC) to authenticate an SSL VPN using Cisco Anyconnect. SC authentication worked until recently. I am able to SC authenticate from other windows 10 and MacOS Monterey 12.6 systems so I dont think the issue is the vpn profile or firewall configuration. Also, using the same SC and MacBook Pro where anyconnect is failing, I am able to authenticate to websites using the certs stored on the SC so it seems the system recognizes the SC for use with other applications.
Anyconnect version: 4.10.05111
MacOS: Monterey 12.6
How do I troubleshoot and identify the problem with Anyconnect using the smart card?
Output from the firewall logs are below for a working and non-working session using 2 different MBPs both using the same OS and anyconnect versions.
###SESSION NOT Working from MacOS Monterey 12.6 MacBook Pro using smart card
[2037] Session Start
[2037] New request Session, context 0x0000005598b5e6e8, reqType = Other
[2037] Fiber started
[2037] Creating LDAP context with uri=ldaps://IP.11:636
[2037] Connect to LDAP server: ldaps://IP.11:636, status = Successful
[2037] supportedLDAPVersion: value = 3
[2037] supportedLDAPVersion: value = 2
[2037] LDAP server IP.11 is Active directory
[2037] Binding as <<SERVICE ACCOUNT>>
[2037] Performing Simple authentication for <<SERVICE ACCOUNT>> to IP.11
[2037] LDAP Search:
Base DN = [DC=xxx,DC=yyy,DC=zzz]
Filter = [UserPrincipalName=<Unknown>] <-- I think this is the issue with the session failing, Not sure how to TSHOOT
Scope = [SUBTREE]
[2037] Search result parsing returned failure status
[2037] Fiber exit Tx=292 bytes Rx=983 bytes, status=-1
[2037] Session End
###SESSION Working from MacOS Monterey 12.6 MacBook Pro using smart card
[2038] Session Start
[2038] New request Session, context 0x0000005598b5e6e8, reqType = Other
[2038] Fiber started
[2038] Creating LDAP context with uri=ldaps://IP.11:636
[2038] Connect to LDAP server: ldaps://IP.11:636, status = Successful
[2038] supportedLDAPVersion: value = 3
[2038] supportedLDAPVersion: value = 2
[2038] LDAP server IP.11 is Active directory
[2038] Binding as <<SERVICE ACCOUNT>>
[2038] Performing Simple authentication for <<SERVICE ACCOUNT>> to IP.11
[2038] LDAP Search:
Base DN = [DC=xxx,DC=yyy,DC=zzz]
Filter = [UserPrincipalName=<<PROPER UPN>>]
Scope = [SUBTREE]
[2038] User DN = [REDACTED]
[2038] Talking to Active Directory server IP.11
[2038] Reading password policy for REDACTED
[2038] Read bad password count 1
[2038] LDAP Search:
Base DN = [DC=xxx,DC=yyy,DC=zzz]
Filter = [UserPrincipalName=<<PROPER UPN>>]
Scope = [SUBTREE]
[2038] Retrieved User Attributes:
[2038] objectClass: value = top
[2038] objectClass: value = person
[2038] objectClass: value = organizationalPerson
[2038] objectClass: value = user
[2038] cn: value = REDACTED
[2038] sn: value = REDACTED
[2038] givenName: value = Rodney
[2038] distinguishedName: value = REDACTED
[2038] instanceType: value = 4
[2038] whenCreated: value = 20220323123757.0Z
[2038] whenChanged: value = 20220601184723.0Z
[2038] displayName: value = REDACTED
[2038] uSNCreated: value = 9370690
[2038] memberOf: value = CN=VPN_User,OU=Groups,OU=Accounts,OU=Management,DC=xxx,DC=yyy,DC=zzz
[2038] mapped to Group-Policy: value = SC_GrpPolicy
[2038] mapped to LDAP-Class: value = SC_GrpPolicy
[2038] uSNChanged: value = 10153783
[2038] name: value = REDACTED
[2038] objectGUID: value = ....|~.B.I..?...
[2038] userAccountControl: value = 512
[2038] badPwdCount: value = REDACTED
[2038] codePage: value = 0
[2038] countryCode: value = 0
[2038] badPasswordTime: value = REDACTED
[2038] lastLogoff: value = 0
[2038] lastLogon: value = 0
[2038] pwdLastSet: value = REDACTED
[2038] primaryGroupID: value = 513
[2038] objectSid: value = ...............F..\.........
[2038] accountExpires: value = REDACTED
[2038] logonCount: value = 0
[2038] sAMAccountName: value = <<PROPER SAM ACCOUNT NAME>>
[2038] sAMAccountType: value = 805306368
[2038] userPrincipalName: value = <<PROPER UPN>>
[2038] objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=xxx,DC=yyy,DC=zzz
[2038] dSCorePropagationData: value = 20220408005437.0Z
[2038] dSCorePropagationData: value = 20220407164116.0Z
[2038] dSCorePropagationData: value = 20220323124138.0Z
[2038] dSCorePropagationData: value = 20220323123811.0Z
[2038] dSCorePropagationData: value = 16010101000000.0Z
[2038] lastLogonTimestamp: value = 132925195647484762
[2038] msDS-SupportedEncryptionTypes: value = 0
[2038] Fiber exit Tx=643 bytes Rx=5103 bytes, status=1
[2038] Session End
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide