Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1828
Views
0
Helpful
5
Replies

Problems authenticating with digital certificates

sra
Level 1
Level 1

‎07-23-2004 06:36 AM - edited ‎02-21-2020 10:10 AM

Hello all,

My situation is the following. I have a Windows VPN client 4.0.1 trying to authenticate with digital certificates to a 3005 concentrator. I have installed the CA on both, identity certificate on the 3005 as well. I enrolled a certificate with the client, signed it with the CA, imported it back, everything is ok, the VPN client says it's valid.

I have configured the 3005 to authenticate based on digital certificates according to the many docs on cisco.com about this. But obviously something is wrong, since I cant connect (see the attached log extras)

Group matching is done correctly I believe (group "Product Management"). The group is configured on the 3005.

I tried to find out what that error means " <client IP> Group [Product Management] Received non-routine Notify message: Authentication failed (24)" but I could find no reference at all about this on cisco.com.

Anyone has any idea where I am going wrong ? Is there is any more info you need please let me know.

Thanks,

Stefan

Labels:
Preview file
4 KB
0 Helpful
5 Replies 5

d-garnett
Level 3
Level 3

‎07-24-2004 11:59 PM

does the hash on your client certificate match the hash of the 3005 cert and the CA server?

are you debugging all IKE and CERT events?

The only documentation i can dig up on IKE code 68 is that of authenticating failing because of an invalid hash.

this is for preshared keys though (at the bottom) http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_tech_note09186a0080094eca.shtml

is there a firewall involved on any of this?

0 Helpful

sra
Level 1
Level 1
In response to d-garnett

‎07-25-2004 11:22 PM

Hello,

To be honest I dont know how to check whether the hash is the same or not. Not sure where is the hash involved in certificate authentication. Any pointers on this would be appreciated. And yes, I have found that link too but it's not much help, I am not using pre-shared keys.

There is a firewall involved but I dont think that is the problem. If I configure the Cisco VPN client to use group authentication then it works perfectly, I can connect without problems. The firewall is not an issue.

The log extras that I posted was with CERT and IKE debug enabled. I also tried with IKEDBG and IKEDECODE but there is nothing useful in there, as far as I can see.

Regards,

Stefan

0 Helpful

sra
Level 1
Level 1
In response to sra

‎07-28-2004 12:02 AM

Well, problem solved. I have installed a different CA system, re-issued all certificates (CA's, for the 3005, for the VPN client) and everything is working now.

0 Helpful

damerino
Level 1
Level 1
In response to sra

‎07-28-2004 09:30 AM

Can you elaborate on which CA system you installed, was it from a different vendor, Microsoft solution or Cisco CA? I'm running into the same problem myself.

0 Helpful

sra
Level 1
Level 1
In response to damerino

‎07-30-2004 12:08 AM

I have downloaded, compiled and installed a Sourceforge.net project, openCA (http://www.openca.org/openca/). Won't help you if you have a Windows box though. But in my case was perfect, runs fine on Linux and it's free. If you dont mind the fact that it's at Release Candidate stage, then you might want to give it a try.

Stefan

0 Helpful
Customers Also Viewed These Support Documents