Extract username from X.509 certificate subject alternative name (SAN) field for AnyConnect VPN cert...

J C · ‎06-29-2016

I'm trying to do certificate based authentication with the ASA and AnyConnect VPN. I'm having trouble extrapolating a user name with the certificate I have on a PIV card that can be mapped to an LDAP/AD account. I was wondering if there was an LUA script that could help me extract something usable with the limited fields I have on the certificate.

I have a PIV card that have very limited attributes that I can map to an LDAP account.

Example my PIV certificate has the following attributes in the subject field:

CN=John Doe (Test)

OU=Test Fake Corporation

O=Fake Site

C=US

My PIV certificate also has this attribute in the SAN field:

RFC822 Name=doe.john@example.com

---------

In LDAP (active directory), I have these attributes below for this example account:

1. CN=<username>

2. DN is CN=<username>,OU=Users,OU=ABC,OU=TFC,DC=test,DC=example,DC=com --> TFC is short for Test Fake Corporation

3. mail is doe.john@example.com

4. UPN is Doe.John@example.com

I'm not familiar with LUA scripting at all but I can get by if I have an example to follow. But is there an LUA script where I can extract the username from the SAN field and match it to the mail or UPN attribute in LDAP?

JP Miranda Z · ‎07-07-2016

Hi chanjs787,

I have seen this working before, i found an example of a LUA but i can't assure you is going to work:

Hope this info helps!!

Rate if helps you!!

J C · ‎07-08-2016

Hi JP,

Thanks for the information. I saw that option to extract the username from UPN in the SAN field of the certificate but the problem is my certificate does not have a UPN defined in the SAN. It has the RFC822 defined in the SAN field instead which is the email address.

I found this bug below which states that is impossible to extract username from RFC822name from SAN:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCtl21177/?referring_site=bugquickviewredir

I will try both methods out and let you know how it goes. I appreciate the feedback and information.

Greg Gizinski · ‎06-05-2017

Did you ever get this to work? I'm running into the same issue.

Thanks

J C · ‎06-05-2017

Sorry, I accidently clicked "Correct Answer" on your post and not sure how to undo it.

I actually did not get a chance to try either methods that was provided by JP Miranda's post due to my strict change controls and time constraints.

I actually worked with my Active Directory Admin to create a custom LDAP attribute that is associated with each user's account to match what was in the UPN field of the PIV certificate. Depending how your AD/LDAP schema is setup with PIV. Our users in AD had another LDAP attribute that was already partially populated with the PIV's certificate UPN value along with other values in the LDAP attribute. My AD admin created a script to query that LDAP attribute to extrapolate that specific value to be populated into the custom LDAP attribute for each user account.

Then all I had to do on the ASA was create an AAA LDAP server group and specify the custom LDAP attribute in the "Naming Attribute". Then create your connection profiles like you normally do, specifying the UPN field to be used for the username for authentication. And for authorization, for Server Group refer to the AAA LDAP server group you created with the custom LDAP Attribute. I attached a PDF for your reference on the ASA side of things.

Sorry, I can't help much on the AD side of things on how my AD Admin did it.

Extract username from X.509 certificate subject alternative name (SAN) field for AnyConnect VPN certificate authentication