ATP and VPN integration: VPN login with UPN

%3CLINGO-SUB%20id%3D%22lingo-sub-1346577%22%20slang%3D%22en-US%22%3EATP%20and%20VPN%20integration%3A%20VPN%20login%20with%20UPN%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1346577%22%20slang%3D%22en-US%22%3E%3CP%3EI%20enabled%20VPN%20integration%20with%20a%20Cisco%20ASA%20at%20the%20other%20side.%20We%20also%20have%20NPS%20extension%20to%20use%20Azure%20AD%20MFA.%3C%2FP%3E%3CP%3EI%20can%20correctly%20see%2C%20on%20user's%20timeline%20on%20ATP%20portal%2C%20all%20the%20VPN%20logons%20made%20by%20using%20the%20SAMaccountname.%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20the%20user%20logs%20in%20using%20the%20UPN%2C%20instead%2C%20his%20logon%20is%20not%20present%20on%20ATP%20timeline.%26nbsp%3B%3C%2FP%3E%3CP%3EWith%20NetMon%20I%20see%20the%20Radius%20message%20coming%20in%20the%20DC%20(wich%20has%20the%20sensor%20installed)%20but%20the%20entry%20is%20not%20reported%20to%20ATP.%26nbsp%3B%3C%2FP%3E%3CP%3EIt's%20a%20normal%20behaviour%3F%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3CP%3EMike%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1363698%22%20slang%3D%22en-US%22%3ERe%3A%20ATP%20and%20VPN%20integration%3A%20VPN%20login%20with%20UPN%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1363698%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F227410%22%20target%3D%22_blank%22%3E%40Michele%20D'Angelantonio%3C%2FA%3E%26nbsp%3BCan%20you%20capture%20the%20radius%20event%20sent%20in%20each%20case%20for%20the%20same%20user%20and%20compare%20them%3F%3C%2FP%3E%0A%3CP%3EOne%20way%20it%20to%20capture%20them%20using%20a%20netmon%20network%20trace...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1366198%22%20slang%3D%22en-US%22%3ERe%3A%20ATP%20and%20VPN%20integration%3A%20VPN%20login%20with%20UPN%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1366198%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F106935%22%20target%3D%22_blank%22%3E%40Eli%20Ofek%3C%2FA%3E%2C%20today%20I'll%20capture%20the%20events%20for%20both%20cases.%20How%20can%20I%20send%20it%20to%20you%20in%20a%20private%20way%3F%20thanks%3C%2FP%3E%3CP%3EMike%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1366950%22%20slang%3D%22en-US%22%3ERe%3A%20ATP%20and%20VPN%20integration%3A%20VPN%20login%20with%20UPN%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1366950%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F227410%22%20target%3D%22_blank%22%3E%40Michele%20D'Angelantonio%3C%2FA%3E%26nbsp%3BThe%20best%20case%20will%20be%20to%20open%20a%20support%20case%20and%20ask%20the%20engineer%20to%20add%20me%20to%20the%20email%20thread.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Eanother%20option%20is%20that%20you%20simply%20extract%20the%20textual%20payload%20of%20the%20messages%2C%20and%20replace%20sensitive%20data%20with%20bogus%20data%20to%20paste%20here.%20the%20interesting%20part%20is%20the%20format%2C%20not%20the%20data%20itself%20(most%20likely)%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

I enabled VPN integration with a Cisco ASA at the other side. We also have NPS extension to use Azure AD MFA.

I can correctly see, on user's timeline on ATP portal, all the VPN logons made by using the SAMaccountname. 

If the user logs in using the UPN, instead, his logon is not present on ATP timeline. 

With NetMon I see the Radius message coming in the DC (wich has the sensor installed) but the entry is not reported to ATP. 

It's a normal behaviour? 

Thanks

Mike 

3 Replies

@Michele D'Angelantonio Can you capture the radius event sent in each case for the same user and compare them?

One way it to capture them using a netmon network trace...

Hi @Eli Ofek, today I'll capture the events for both cases. How can I send it to you in a private way? thanks

Mike 

@Michele D'Angelantonio The best case will be to open a support case and ask the engineer to add me to the email thread.

 

another option is that you simply extract the textual payload of the messages, and replace sensitive data with bogus data to paste here. the interesting part is the format, not the data itself (most likely)