Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
302
Views
0
Helpful
5
Replies

Secure Client computer cert username

paul-d
Level 1
Level 1

‎10-04-2024 08:42 AM

Hi,

I have setup a secure client profile on a ASA (specifically a management tunnel), all works fine however under monitoring in ASDM I get "unknown" in the username field, is it possible to display the hostname the certificate was issued to?

0 Helpful
5 Replies 5

balaji.bandi
Hall of Fame
Hall of Fame

‎10-04-2024 09:56 AM

Can you post us the example ?  which you referring here to undertand correctly

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

paul-d
Level 1
Level 1
In response to balaji.bandi

‎10-04-2024 10:09 AM

Sure, note the unknown in the username column

 

asdm.png

0 Helpful

MHM Cisco World
VIP
VIP
In response to paul-d

‎10-04-2024 10:11 AM

I see before same issue I think solution was using HostScan

MHM

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to paul-d

‎10-04-2024 10:18 AM

we are running ASA  9.12 and above - we can see the username

balajibandi_0-1728062304578.png

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Maher Abdelshkour
Level 7
Level 7

‎10-04-2024 10:13 AM - edited ‎10-04-2024 10:21 AM

Hi Paul,

By default, the ASA does not map the certificate Common Name (CN) or Subject Alternative Name (SAN) from the client certificate directly to the username field in ASDM monitoring. However, you can configure the ASA to use the certificate’s CN or SAN as the username for identification. Here's how you can achieve this:

Steps to Configure Username Mapping from Certificate:
1- Enable Certificate to Username Mapping:

You can map the certificate field (like CN or SAN) to the username using the crypto ca trustpoint and username-from-certificate commands.

crypto ca trustpoint MyTrustpoint
enrollment terminal
subject-name CN=<Common Name>,OU=<Organizational Unit>
...
tunnel-group AnyConnect-Tunnel webvpn-attributes
authentication certificate
username-from-certificate CN

This example uses the CN from the certificate as the username. If the certificate uses SAN, you can adjust accordingly, for example:

username-from-certificate SAN-DNS

2- Verify the Certificate Mapping:

After configuring the ASA, verify the certificate-to-username mapping. To ensure it's working, you can either reconnect the client or issue the following command on the ASA to view the connection details:

show vpn-sessiondb detail anyconnect

This command will display detailed session information, including the username derived from the certificate.

3- Configure ASDM Monitoring Settings:

Once the username is derived from the certificate, ASDM should display the proper username under the monitoring section. You may need to refresh the session view or wait for the next session update to see the change reflected.

By configuring this certificate-to-username mapping, ASDM will now display the certificate’s CN or SAN in place of the "unknown" username.

0 Helpful
Customers Also Viewed These Support Documents