Cisco FTD AnyConnect - Logon with UPN

Justin-Rogers · ‎06-26-2025

Hello.

I am in the process of migrating AnyConnect from a Cisco ASA to FTD. Everything is working fine except the username. On the ASA users logon with their UPN but on on the FTD that fails and we have to use sAMAccountName. I've looked at the ASA config it is set to sAMAccountName but users sign in with UPN? I can't find anywhere in the ASA config where it is set to use UPN. Am I missing it some place? We want this on the FTD so it will be consistent for all users.

wajidhassan · ‎06-26-2025

Hi Justin,

On ASA you could already use UPN because its built-in LDAP map includes both sAMAccountName and userPrincipalName. FTD’s default map only binds sAMAccountName, so UPNs fail.

Quick fix

In FMC (or CLI), create a custom LDAP attribute map that adds userPrincipalName as a “User-Name” RADIUS AV-pair.
Apply that map to your LDAP server settings.
Point your AnyConnect auth profile at that LDAP server.

Once that’s in place, FTD will accept logins like user@domain.com just like your ASA did.

Justin-Rogers · ‎06-26-2025

Thank you! Are you able to show an example on where I would add this?

MHM Cisco World · ‎06-26-2025

https://community.cisco.com/t5/vpn/anyconnect-vpn-logon-with-upn/td-p/3787083

Check this

MHM

Justin-Rogers · ‎06-26-2025

Thanks for the reply! So changing the ldap map attribute to UPN it fails. So somewhere I need to additional filter some place. Either the cisco attribute name and cisco attribute value.

MHM Cisco World · ‎06-26-2025

can I see the ASA config ?

The attribute is config under aaa host

ldap-naming-attribute sAMAccountName>>userPrincipalName

MHM