Hi all I am trying to use a primary and secondary attribute from the certificate for authentication using the following configuration.
hostname(config)# tunnel-group remotegrp type ipsec_ra hostname(config)# tunnel-group remotegrp general-attributes hostname(config-tunnel-general)# username-from-certificate CN OU My understanding based on the following snippet is that a name is derived with a combination of CN and OU from the certificate. But when I do a wireshark, I see only CN sent though I have configured for the secondary attribute. Has anyone tried it? Any thoughts? Snippet from http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/uz.html#wp1667251 *username**-from-certificate* To specify the field in a certificate to use as the username for authorization, use the *username-from-certificate *command in tunnel-group general-attributes mode. The DN of the peer certificate used as username for authorization To remove the attribute from the configuration and restore default values, use the *no* form of this command. *username-from-certificate* {*primary-attr *[*secondary-attr*] | * use-entire-name*} *no* *username-from-certificate* Syntax Description *primary-attr* Specifies the attribute to use to derive a username for an authorization query from a certificate. If pre-fill-username is enabled, the derived name can also be used in an authentication query. *secondary-attr* (Optional) Specifies an additional attribute to use with the primary attribute to derive a username for an authentication or authorization query from a digital certificate. If pre-fill-username is enable, the derived name can also be used in an authentication query. *use-entire-name* Specifies that the ASA must use the entire subject DN (RFC1779) to derive a name for an authorization query from a digital certificate. Defaults The default value for the primary attribute is CN (Common Name). The default value for the secondary attribute is OU (Organization Unit). With regards Kings
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
