cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
553
Views
0
Helpful
0
Replies

Cisco Anyconnect authentication using smart card with MacOS Monterey

elcid98-1a6
Level 1
Level 1

I am having an issue with using a smart card (SC) to authenticate an SSL VPN using Cisco Anyconnect. SC authentication worked until recently. I am able to SC authenticate from other windows 10 and MacOS Monterey 12.6 systems so I dont think the issue is the vpn profile or firewall configuration. Also, using the same SC and MacBook Pro where anyconnect is failing, I am able to authenticate to websites using the certs stored on the SC so it seems the system recognizes the SC for use with other applications.

 

Anyconnect version: 4.10.05111

MacOS: Monterey 12.6

 

How do I troubleshoot and identify the problem with Anyconnect using the smart card?

 

Output from the firewall logs are below for a working and non-working session using 2 different MBPs both using the same OS and anyconnect versions.

###SESSION NOT Working from MacOS Monterey 12.6 MacBook Pro using smart card

[2037] Session Start

[2037] New request Session, context 0x0000005598b5e6e8, reqType = Other

[2037] Fiber started

[2037] Creating LDAP context with uri=ldaps://IP.11:636

[2037] Connect to LDAP server: ldaps://IP.11:636, status = Successful

[2037] supportedLDAPVersion: value = 3

[2037] supportedLDAPVersion: value = 2

[2037] LDAP server IP.11 is Active directory

[2037] Binding as <<SERVICE ACCOUNT>>

[2037] Performing Simple authentication for <<SERVICE ACCOUNT>> to IP.11

[2037] LDAP Search:

Base DN = [DC=xxx,DC=yyy,DC=zzz]

Filter = [UserPrincipalName=<Unknown>] <-- I think this is the issue with the session failing, Not sure how to TSHOOT

Scope = [SUBTREE]

[2037] Search result parsing returned failure status

[2037] Fiber exit Tx=292 bytes Rx=983 bytes, status=-1

[2037] Session End

 

 

###SESSION Working from MacOS Monterey 12.6 MacBook Pro using smart card

[2038] Session Start

[2038] New request Session, context 0x0000005598b5e6e8, reqType = Other

[2038] Fiber started

[2038] Creating LDAP context with uri=ldaps://IP.11:636

[2038] Connect to LDAP server: ldaps://IP.11:636, status = Successful

[2038] supportedLDAPVersion: value = 3

[2038] supportedLDAPVersion: value = 2

[2038] LDAP server IP.11 is Active directory

[2038] Binding as <<SERVICE ACCOUNT>>

[2038] Performing Simple authentication for <<SERVICE ACCOUNT>> to IP.11

[2038] LDAP Search:

Base DN = [DC=xxx,DC=yyy,DC=zzz]

Filter = [UserPrincipalName=<<PROPER UPN>>]

Scope = [SUBTREE]

[2038] User DN = [REDACTED]

[2038] Talking to Active Directory server IP.11

[2038] Reading password policy for REDACTED

[2038] Read bad password count 1

[2038] LDAP Search:

Base DN = [DC=xxx,DC=yyy,DC=zzz]

Filter = [UserPrincipalName=<<PROPER UPN>>]

Scope = [SUBTREE]

[2038] Retrieved User Attributes:

[2038] objectClass: value = top

[2038] objectClass: value = person

[2038] objectClass: value = organizationalPerson

[2038] objectClass: value = user

[2038] cn: value = REDACTED

[2038] sn: value = REDACTED

[2038] givenName: value = Rodney

[2038] distinguishedName: value = REDACTED

[2038] instanceType: value = 4

[2038] whenCreated: value = 20220323123757.0Z

[2038] whenChanged: value = 20220601184723.0Z

[2038] displayName: value = REDACTED

[2038] uSNCreated: value = 9370690

[2038] memberOf: value = CN=VPN_User,OU=Groups,OU=Accounts,OU=Management,DC=xxx,DC=yyy,DC=zzz

[2038] mapped to Group-Policy: value = SC_GrpPolicy

[2038] mapped to LDAP-Class: value = SC_GrpPolicy

[2038] uSNChanged: value = 10153783

[2038] name: value = REDACTED

[2038] objectGUID: value = ....|~.B.I..?...

[2038] userAccountControl: value = 512

[2038] badPwdCount: value = REDACTED

[2038] codePage: value = 0

[2038] countryCode: value = 0

[2038] badPasswordTime: value = REDACTED

[2038] lastLogoff: value = 0

[2038] lastLogon: value = 0

[2038] pwdLastSet: value = REDACTED

[2038] primaryGroupID: value = 513

[2038] objectSid: value = ...............F..\.........

[2038] accountExpires: value = REDACTED

[2038] logonCount: value = 0

[2038] sAMAccountName: value = <<PROPER SAM ACCOUNT NAME>>

[2038] sAMAccountType: value = 805306368

[2038] userPrincipalName: value = <<PROPER UPN>>

[2038] objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=xxx,DC=yyy,DC=zzz

[2038] dSCorePropagationData: value = 20220408005437.0Z

[2038] dSCorePropagationData: value = 20220407164116.0Z

[2038] dSCorePropagationData: value = 20220323124138.0Z

[2038] dSCorePropagationData: value = 20220323123811.0Z

[2038] dSCorePropagationData: value = 16010101000000.0Z

[2038] lastLogonTimestamp: value = 132925195647484762

[2038] msDS-SupportedEncryptionTypes: value = 0

[2038] Fiber exit Tx=643 bytes Rx=5103 bytes, status=1

[2038] Session End

0 Replies 0