Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
934
Views
0
Helpful
1
Replies

Logging issue in certificate authentication - always on anyconnect

pjsutton1
Level 1
Level 1

‎09-18-2013 08:22 AM - edited ‎02-21-2020 07:09 PM

Im having some issues with logging using certificates for authentication. My setup is working fine as far as group policy - always on feature and anyconnect of course but going to the logs I am unable to determine who is logged on. Only that a particular session is logged on and the certificate was accepted as the authentication piece.

Here is a scrubbed snippet from the logs.

[some scrubbing]

6|Sep 18 2013|15:02:10|737026|||||IPAA: Client assigned 10.00.00.01 from local pool
7|Sep 18 2013|15:02:10|737001|||||IPAA: Received message 'UTL_IP_[IKE_]ADDR_REQ'
6|Sep 18 2013|15:02:10|725002|200.00.00.01|5762|||Device completed SSL handshake with client Outside:200.00.00.01/5762
7|Sep 18 2013|15:02:10|725012|200.00.00.01|5762|||Device chooses cipher : AES256-SHA for the SSL session with client Outside:200.00.00.01/5762

7|Sep 18 2013|15:02:10|725008|200.00.00.01|5762|||SSL client Outside:200.00.00.01/5762 proposes the following 6 cipher(s).

7|Sep 18 2013|15:02:10|725010|||||Device supports the following 2 cipher(s).
6|Sep 18 2013|15:02:10|725001|200.00.00.01|5762|||Starting SSL handshake with client Outside:200.00.00.01/5762 for TLSv1 session.
6|Sep 18 2013|15:02:10|725007|200.00.00.01|7126|||SSL session with client Outside:200.00.00.01/7126 terminated.
6|Sep 18 2013|15:02:10|725002|200.00.00.01|7126|||Device completed SSL handshake with client Outside:200.00.00.01/7126
7|Sep 18 2013|15:02:10|725012|200.00.00.01|7126|||Device chooses cipher : AES256-SHA for the SSL session with client Outside:200.00.00.01/7126

7|Sep 18 2013|15:02:10|725008|200.00.00.01|7126|||SSL client Outside:200.00.00.01/7126 proposes the following 18 cipher(s).

7|Sep 18 2013|15:02:10|725010|||||Device supports the following 2 cipher(s).
6|Sep 18 2013|15:02:10|725001|200.00.00.01|7126|||Starting SSL handshake with client Outside:200.00.00.01/7126 for TLSv1 session.
6|Sep 18 2013|15:02:10|716001|||||Group <Alwayson> User <myvpn> IP <200.00.00.01> WebVPN session started.
6|Sep 18 2013|15:02:10|734001|||||DAP: User myvpn, Addr 200.00.00.01, Connection AnyConnect: The following DAP records were selected for this connection: alwaysonpolicy
7|Sep 18 2013|15:02:10|734003|||||DAP: User myvpn, Addr 200.00.00.01: Session Attribute endpoint.anyconnect.deviceuniqueid="long id number scrubbed"
7|Sep 18 2013|15:02:10|734003|||||DAP: User myvpn, Addr 200.00.00.01: Session Attribute endpoint.anyconnect.devicetype="iPad2,1"
7|Sep 18 2013|15:02:05|734003|||||DAP: User myvpn, Addr 200.00.00.01: Session Attribute endpoint.anyconnect.platformversion="6.1.3"
7|Sep 18 2013|15:02:05|734003|||||DAP: User myvpn, Addr 200.00.00.01: Session Attribute endpoint.anyconnect.platform="apple-ios"
7|Sep 18 2013|15:02:05|734003|||||DAP: User myvpn, Addr 200.00.00.01: Session Attribute endpoint.anyconnect.clientversion="3.0.09179"
7|Sep 18 2013|15:02:05|734003|||||DAP: User myvpn, Addr 200.00.00.01: Session Attribute aaa.cisco.tunnelgroup = alwayson
7|Sep 18 2013|15:02:05|734003|||||DAP: User myvpn, Addr 200.00.00.01: Session Attribute aaa.cisco.username2 =
7|Sep 18 2013|15:02:05|734003|||||DAP: User myvpn, Addr 200.00.00.01: Session Attribute aaa.cisco.username1 = myvpn
7|Sep 18 2013|15:02:05|734003|||||DAP: User myvpn, Addr 200.00.00.01: Session Attribute aaa.cisco.username = myvpn
7|Sep 18 2013|15:02:05|734003|||||DAP: User myvpn, Addr 200.00.00.01: Session Attribute aaa.cisco.grouppolicy = Alwayson
6|Sep 18 2013|15:02:05|716038|||||Group <DfltGrpPolicy> User <myvpn> IP <200.00.00.01> Authentication: successful, Session Type: WebVPN.
4|Sep 18 2013|15:02:05|717037|||||Tunnel group search using certificate maps failed for peer certificate: serial number: 0A, subject name: cn=myvpn, issuer_name: cn=myvpn.mydomain.com.
7|Sep 18 2013|15:02:05|717036|||||Looking for a tunnel group match based on certificate maps for peer certificate with serial number: 0A, subject name: cn=myvpn, issuer_name: cn=myvpn.mydomain.com.
6|Sep 18 2013|15:02:05|113009|||||AAA retrieved default group policy (Alwayson) for user = myvpn
4|Sep 18 2013|15:02:05|717037|||||Tunnel group search using certificate maps failed for peer certificate: serial number: 0A, subject name: cn=myvpn, issuer_name: cn=myvpn.mydomain.com.
7|Sep 18 2013|15:02:05|717036|||||Looking for a tunnel group match based on certificate maps for peer certificate with serial number: 0A, subject name: cn=myvpn, issuer_name: cn=myvpn.mydomain.com.
7|Sep 18 2013|15:02:05|113028|||||Extraction of username from VPN client certificate has completed.  [Request 19]
7|Sep 18 2013|15:02:05|113028|||||Extraction of username from VPN client certificate has finished successfully.  [Request 19]
7|Sep 18 2013|15:02:05|113028|||||Extraction of username from VPN client certificate has started.  [Request 19]
7|Sep 18 2013|15:02:05|113028|||||Extraction of username from VPN client certificate has been requested.  [Request 19]
7|Sep 18 2013|15:02:01|725008|200.00.00.01|51374|||SSL client Outside:200.00.00.01/51374 proposes the following 6 cipher(s).

7|Sep 18 2013|15:02:01|725010|||||Device supports the following 2 cipher(s).
6|Sep 18 2013|15:02:01|725001|200.00.00.01|51374|||Starting SSL handshake with client Outside:200.00.00.01/51374 for TLSv1 session.
6|Sep 18 2013|15:01:59|725007|200.00.00.01|26137|||SSL session with client Outside:200.00.00.01/26137 terminated.
4|Sep 18 2013|15:01:59|717037|||||Tunnel group search using certificate maps failed for peer certificate: serial number: 0A, subject name: cn=myvpn, issuer_name: cn=myvpn.mydomain.com.
7|Sep 18 2013|15:01:59|717036|||||Looking for a tunnel group match based on certificate maps for peer certificate with serial number: 0A, subject name: cn=myvpn, issuer_name: cn=myvpn.mydomain.com.
6|Sep 18 2013|15:01:59|725002|200.00.00.01|26137|||Device completed SSL handshake with client Outside:200.00.00.01/26137
6|Sep 18 2013|15:01:59|717028|||||Certificate chain was successfully validated with warning, revocation status was not checked.
6|Sep 18 2013|15:01:59|717022|||||Certificate was successfully validated. serial number: 0A, subject name:  cn=myvpn.
7|Sep 18 2013|15:01:59|717030|||||Found a suitable trustpoint LOCAL-CA-SERVER to validate certificate.
7|Sep 18 2013|15:01:59|717029|||||Identified client certificate within certificate chain. serial number: 0A, subject name: cn=myvpn.
7|Sep 18 2013|15:01:59|717025|||||Validating certificate chain containing 1 certificate(s).

[some scrubbing]

Hope someone can help with this I need to know what user is attached to the certificate and it appears the logs are grabbing the name of the device as the user rather that the user name attached to the certificate. What am I missing?

Labels:
0 Helpful
1 Reply 1

nstewart
Level 1
Level 1

‎09-25-2013 05:09 AM

I am setting up something similar and when I do a debug aaa authentication I can see the user details in the certificate e.g. in the Certificate Successfully validated line I am seeing the serial number xxxxxxxx, subject name cn = Nicola Stewart etc

This matches on my user certificate on the machine.

Have you set up a .xml Anyconnect Client profile for this policy?

Are you using any Pre-login?

I can get user certificates to work but I can't get it use the machine certificate and I can't get Pre-login working either.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents