Friday, July 24, 2020

Anyconnect LDAP + certificate authentication query

Hi folks,

On our remote VPN from our ASA we are using LDAP + certificate based authentication, and adding the UPN as the username from the certificate.

The issue we are having is for newly built machines, and I am trying to understand exaclty how it works. A new machine will initially have only a machine cert. In order to register them for an user cert, they'd need to logon frst to the VPN - as we are using AlwaysOn and deny internet access unless they're connected to the VPN.

So for newly built machines that only have a machine cert (Anyconnect is set to search both for a personal and a machine one) - the authentication succeeds. But the user can't login with the UPN - they have to use their sAMAccountName. Given they don't have a user cert yet, how does this work? Does the option set in the tunnel group to use the UPN for the certificate doesn't apply to machine certs? Is it only the user cert that will have the UPN in the Subject Alternative Name field? Even though I understand the general concepts - I'm a bit of a beginner when it come to certificates. Your help is much appreciated!



No comments:

Post a Comment