Cisco Bug: CSCvi01142 - Not able to enable strip-realm when authentication method is Certificate only
Apr 27, 2018
- Cisco Firepower Management Center
Known Affected Releases
Symptom: FTD Remote Access VPN is configured for Client Certificate based authentication and RADIUS authorization and authorization always fails due to invalid username whenever the Client Certificate has domain/realm as part of the attributes used for username e.g. Common Name as email@example.com. Conditions: - FTD Remote Access VPN is configured for Client Certificate only based authentication and RADIUS authorization - Client Certificate has domain/realm as part of the attributes used for username e.g. Common Name as firstname.lastname@example.org and RADIUS Server has been configured to authorize the user without the domain/realm i.e. xyz because the group/domain/realm information is not removed from the username obtained from certificate attributes before sending to the RADIUS Authorization server. This is because even if user checks the option to 'strip-group' or 'strip-realm' as the case may be on the Connection Profile on FMC UI, these options are not deployed to the FTD device when the authentication method is to use Client Certificate only.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases