07-15-2024 05:08 AM
Hello!
We use SSL VPN with certificate based authentication. All users have personal certificates with subjectAltName = email:$USER@$DOMAIN
Would like to extract email from SAN to set it as username under "show vpn-sessiondb anyconnect"
Tried to use LUA script "return cert.subjectaltname" but logs show that returned value is not string
What is the correct way to parse cert.subjectaltname for LUA (ASA)?
Maybe there is a table of all available x509 variables?
Kind rregards,
Vladimir Akhmarov
07-15-2024 10:01 AM
I used "cert.subjectaltname.upn" once, which is a string and typically matches email address. Not sure if a variable exists for RFC822 name (i.e. email). The table 3 doesn't list it: https://www.cisco.com/c/en/us/td/docs/security/asa/asa916/asdm716/vpn/asdm-716-vpn-config/vpn-asdm-setup.html
07-15-2024 01:12 PM
Unfortunately "cert.subjectaltname.upn" is not present
Jul 15 2024 23:05:03 $HOSTNAME : %ASA-4-717037: Tunnel group search using certificate maps failed for peer certificate: serial number: $SERIAL, subject name: CN=$PERSON_DATA, issuer_name: CN=$ISSUER_DATA.
Jul 15 2024 23:05:03 $HOSTNAME : %ASA-4-113026: Error <username not found> while executing Lua script for group <$TUNNEL_GROUP>
# openssl x509 -noout -ext subjectAltName -in $PERSON_CERT.crt
X509v3 Subject Alternative Name:
email:example@domain.tld
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide