Guest

Preview Tool

Cisco Bug: CSCvi01142 - Not able to enable strip-realm when authentication method is Certificate only

Last Modified

Apr 27, 2018

Products (1)

  • Cisco Firepower Management Center

Known Affected Releases

6.2.2

Description (partial)

Symptom:
FTD Remote Access VPN is configured for Client Certificate based authentication and RADIUS authorization and authorization always fails due to invalid username whenever the Client Certificate has domain/realm as part of the attributes used for username e.g. Common Name as xyz@domain.com.

Conditions:
- FTD Remote Access VPN is configured for Client Certificate only based authentication and RADIUS authorization
- Client Certificate has domain/realm as part of the attributes used for username e.g. Common Name as xyz@domain.com and RADIUS Server has been configured to authorize the user without the domain/realm i.e. xyz  because the group/domain/realm information is not removed from the username obtained from certificate attributes before sending to the RADIUS Authorization server.

This is because even if user checks the option to 'strip-group' or 'strip-realm' as the case may be on the Connection Profile on FMC UI, these options are not deployed to the FTD device when the authentication method is to use Client Certificate only.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.