Hello all, looking for a little help with an odd situation here. VPN units are MAG6611s running 7.4R9.3.   I have a working realm that successfully authenticates off our AD domain controllers (auth server type is Active Directory, not LDAP). Nothing fancy. Couple of different roles behind it, role mapping rules are based on group membership. "Enable Group Search with LDAP" is not checked in the auth server setup, so my understanding is that means the MAG is using native AD methods to determine what groups users are in.   OK, now the boss wants to enable two-factor authentication. I've done this before by creating a certificate auth server, having it generate the username from one of the fields in the cert, then configure the realm to use the certificate server first and the AD or LDAP server as secondary. Usually works fine.   The issue here is that the users who access this realm are outside contractors, not employees of my company. So they get a login account in our AD, but they don't get a user certificate from us. They have user certificates from their employer.  I have imported the necessary CA certs to be able to validate their user certs, no issue there.    If I configure the certificate auth server to set their username to their email address like I usually do, it gets set to something like [email protected] Then when the MAG goes to do the secondary authentication to my AD server with that, it fails. My Windows guy is telling me it's because the domains don't match, i.e. ours look like [email protected] We tried changing the email address field in the user's AD login properties to [email protected] but that still did not work, the AD authentication still fails.   Any suggestions on how to make this work? I'm thinking I probably have to eliminate the certificate server auth and go back to just the AD auth, and then do something in the certificate restrictions screen to try to correlate something in their certs to something in my AD, but haven't figured out how to make that fly yet...     Thanks, Chuck   ... View more

MAG6611 running 7.4R9.3 I have a realm configured to use a certificate a uth server for authentication. I want to make sure that this realm will only accept user certs from one particular organization.   When I do a policy trace on a user logging into this realm, here is the value I want to try and match: info - [xxx.xxx.xxx.xxx] - Username(Realm)[] - 2014/05/16 12:58:47 - MAG_hostname - Variable certIssuerDn.OU = "OCIO CA" So I go into Realm -> Authentication Policy -> Certificate. The bottom radio button (Only allow users with a client-side certificate) is already selected. Below that is the section where you can specify restrictions, i.e. values to match within the cert. For each item you must specify "Certificate field" and "Expected value".   Does anybody know what the specific syntax is for filling in those two boxes? Do you have to put quotes or <> brackets around the values to get them to match? I have tried several variations and I just keep getting "Sign-in rejected. Reason: Wrong Certificate" in the policy trace. If I delete the restriction then the user can connect with no trouble.   What I have right now trying to match the value above is: Certificate field:    certIssuerDn.OU           no quotes or brackets Expected value:    "OCIO CA"                      double-quotes aroudn the whole value   Seems to me like that should work, but it's not matching up.   Any suggestions?   Thanks, Chuck   ... View more