04-25-2011 07:24 AM
Curious if anyone could offer some insight into my currnet predicament.
When using both a primary and secondary username and password with web vpn, the primary username is the reported value in syslog and other monitoring facilities. Is there a way to use the secondary username as the reported value.
I'm using the extended factor authentication to protect the Active Directory accounts from a lock-out attack. The primary auth is checked against local accounts and the secondary is checked against Active Directory. The local accounts are generic so that they can be handed out to groups, but that does not provide the needed who, what, and when within the syslogs and monitoring tools on the ASDM for each unique user.
Currently the login portal is displayed as such:
Method: (Drop list - > Client, Browser)
Group: (Local Account Name)
Phrase: (Local Account Password)
Username: (AD Username) <-- I want to use this value as the reported/logged username
Password: (AD Password)
"submit button"
04-25-2011 08:45 AM
Hi,
If your requirement is to add authentication server to the Security appliance instead of the user local database, then
This could be accomplished by using your Active directory as an Authentication method for the WebVPN group.
To elaborate more, on the Group Policy WebVPN , just add the following:
authentication-server-group (name)
you should have your Aughenticatios server known by the Security apliance as well.
Regards,
Mohamed
04-25-2011 08:50 AM
Perhaps I did not specify my issue as clearly as I could have.
I am doing both local authentication as well as AD authentication. This is working without issue.
My issue is in regards to how the ASA logs messages and reports currently connected users on vpn. It uses the local username rather than the AD username. I'm curious to know if there is a way in which, given my current configuration, to use the AD username (secondary auth username) instead.
For example:
LOCAL username example = vpngroup1
AD username example = john.smith <-- this is better
Thanks!
04-25-2011 11:05 AM
Figured it out, but the my issue ended up being the ASDM.
The commands required are as follows:
authentication-attr-from-server secondary
authenticated-session-username secondary
Both commands are applied under:
tunnel-group [profile name] general-attributes
The problem is that these two radio options in the ASDM will not be applied UNLESS you also toggle the box that uses the primary username as the secondary username. That obviously would not work for me in my given environment since the LOCAL and AD usernames are not the same; however it can be worked around. Either enter the two command manually through CLI, or just toggle the checkbox as requried to issue the commands as needed.
After checking the box "Use primary username (Hide secondary username on login page)" and switching both radio options "Attributes Server:" and "Session Username Server" to secondary, it applied the previously mentioned commands. This however will not work, as I then lost my other username textbox on the portal page.
At this point I simply unchecked the "Use primary username (Hide secondary username on login page)" checkbox and applied the changes. The ASDM only issued the command:
tunnel-group [profile name] general-attributes
no secondary-authentication-server-group [AAA GROUP] use-primary-username
authentication-attr-from-server secondary
authenticated-session-username secondary
This has to be a bug of some sort. I'm using 8.4 and ASDM 6.4.
Attached is a small screenshot for clarity.
Find these settings under:
(ASDM Window)
Configuration -> Remote Access VPN -> Clientless/Client Access -> Connection Profiles -> [Choose Profile] -> Click "Edit"
(New ASDM Window)
Extend Advanced -> Select "Secondary Authentication"
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide