User profile for user: InsaneAndInvalid
InsaneAndInvalid Author
User level: Level 1
4 points

Cisco AnyConnect Smart Card Authentication

I am having an issue with using a smart card (SC) to authenticate an SSL VPN using Cisco Anyconnect. SC authentication worked until recently. I am able to SC authenticate from other windows 10 and MacOS Monterey 12.6 systems so I dont think the issue is the vpn profile or firewall configuration. Also, using the same SC and MacBook Pro where anyconnect is failing, I am able to authenticate to websites using the certs stored on the SC so it seems the system recognizes the SC for use with other applications.


Anyconnect version: 4.10.05111

MacOS: Monterey 12.6


How do I troubleshoot and identify the problem with Anyconnect using the smart card?


Output from the firewall logs are below for a working and non-working session using 2 different MBPs both using the same OS and anyconnect versions.

###SESSION NOT Working from MacOS Monterey 12.6 MacBook Pro using smart card

[2037] Session Start

[2037] New request Session, context 0x0000005598b5e6e8, reqType = Other

[2037] Fiber started

[2037] Creating LDAP context with uri=ldaps://IP.11:636

[2037] Connect to LDAP server: ldaps://IP.11:636, status = Successful

[2037] supportedLDAPVersion: value = 3

[2037] supportedLDAPVersion: value = 2

[2037] LDAP server IP.11 is Active directory

[2037] Binding as <<SERVICE ACCOUNT>>

[2037] Performing Simple authentication for <<SERVICE ACCOUNT>> to IP.11

[2037] LDAP Search:

Base DN = [DC=xxx,DC=yyy,DC=zzz]

Filter = [UserPrincipalName=<Unknown>] <-- I think this is the issue with the session failing, Not sure how to TSHOOT

Scope = [SUBTREE]

[2037] Search result parsing returned failure status

[2037] Fiber exit Tx=292 bytes Rx=983 bytes, status=-1

[2037] Session End



###SESSION Working from MacOS Monterey 12.6 MacBook Pro using smart card

[2038] Session Start

[2038] New request Session, context 0x0000005598b5e6e8, reqType = Other

[2038] Fiber started

[2038] Creating LDAP context with uri=ldaps://IP.11:636

[2038] Connect to LDAP server: ldaps://IP.11:636, status = Successful

[2038] supportedLDAPVersion: value = 3

[2038] supportedLDAPVersion: value = 2

[2038] LDAP server IP.11 is Active directory

[2038] Binding as <<SERVICE ACCOUNT>>

[2038] Performing Simple authentication for <<SERVICE ACCOUNT>> to IP.11

[2038] LDAP Search:

Base DN = [DC=xxx,DC=yyy,DC=zzz]

Filter = [UserPrincipalName=<<PROPER UPN>>]

Scope = [SUBTREE]

[2038] User DN = [REDACTED]

[2038] Talking to Active Directory server IP.11

[2038] Reading password policy for REDACTED

[2038] Read bad password count 1

[2038] LDAP Search:

Base DN = [DC=xxx,DC=yyy,DC=zzz]

Filter = [UserPrincipalName=<<PROPER UPN>>]

Scope = [SUBTREE]

[2038] Retrieved User Attributes:

[2038] objectClass: value = top

[2038] objectClass: value = person

[2038] objectClass: value = organizationalPerson

[2038] objectClass: value = user

[2038] cn: value = REDACTED

[2038] sn: value = REDACTED

[2038] givenName: value = Rodney

[2038] distinguishedName: value = REDACTED

[2038] instanceType: value = 4

[2038] whenCreated: value = 20220323123757.0Z

[2038] whenChanged: value = 20220601184723.0Z

[2038] displayName: value = REDACTED

[2038] uSNCreated: value = 9370690

[2038] memberOf: value = CN=VPN_User,OU=Groups,OU=Accounts,OU=Management,DC=xxx,DC=yyy,DC=zzz

[2038] mapped to Group-Policy: value = SC_GrpPolicy

[2038] mapped to LDAP-Class: value = SC_GrpPolicy

[2038] uSNChanged: value = 10153783

[2038] name: value = REDACTED

[2038] objectGUID: value = ....|~.B.I..?...

[2038] userAccountControl: value = 512

[2038] badPwdCount: value = REDACTED

[2038] codePage: value = 0

[2038] countryCode: value = 0

[2038] badPasswordTime: value = REDACTED

[2038] lastLogoff: value = 0

[2038] lastLogon: value = 0

[2038] pwdLastSet: value = REDACTED

[2038] primaryGroupID: value = 513

[2038] objectSid: value = ...............F..\.........

[2038] accountExpires: value = REDACTED

[2038] logonCount: value = 0

[2038] sAMAccountName: value = <<PROPER SAM ACCOUNT NAME>>

[2038] sAMAccountType: value = 805306368

[2038] userPrincipalName: value = <<PROPER UPN>>

[2038] objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=xxx,DC=yyy,DC=zzz

[2038] dSCorePropagationData: value = 20220408005437.0Z

[2038] dSCorePropagationData: value = 20220407164116.0Z

[2038] dSCorePropagationData: value = 20220323124138.0Z

[2038] dSCorePropagationData: value = 20220323123811.0Z

[2038] dSCorePropagationData: value = 16010101000000.0Z

[2038] lastLogonTimestamp: value = 132925195647484762

[2038] msDS-SupportedEncryptionTypes: value = 0

[2038] Fiber exit Tx=643 bytes Rx=5103 bytes, status=1

[2038] Session End


Posted on Sep 27, 2022 10:54 AM

Reply

Similar questions

There are no replies.

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Cisco AnyConnect Smart Card Authentication

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up