Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation

Who Me Too'd this topic

Router WebVPN and client certificate

Sergey Yakovlev
Level 1
Level 1

‎06-04-2012 10:32 PM

Hello!

In my test lab I can't to make work my webvpn configuration =\

I have several components: MS AD, MS CS (but without NDES), router 2911 and client computer. Client and router have a certificate from MS CS. In my configuration I use authentication by certificate or aaa (LDAP) and authentication by aaa working good. But authentication by client certificate doesn't work. And my internal https services don't work also -  "Invalid or no certificate", but this strange because I imported CA certificate for this.

Can you help me make it works?

My 2911 version:

Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.1(3)T, RELEASE SOFTWARE (fc1)

My Config:

aaa authentication login webvpn group ldap local

ip local pool webvpn 192.168.200.1 192.168.200.254

bind authenticate root-dn cn=webvpn,ou=staff,dc=domain,dc=com password P@ssw0rd

webvpn gateway vpn

ip address <ip address> port 4443

ssl trustpoint root-ca

inservice

!

webvpn install svc flash0:/webvpn/anyconnect-dart-win-2.5.3055-k9.pkg sequence 1

!

webvpn context employee

ssl authenticate verify all

!

login-message "VPN Portal"

!

policy group policy1

   url-list "inside"

   functions svc-enabled

   filter tunnel VPN-SPLIT

   svc address-pool "webvpn" netmask 255.255.255.0

   svc default-domain "domain.com"

   svc keep-client-installed

   svc split dns "domain.com"

   svc split include 192.168.0.0 255.255.0.0

   svc dns-server primary 192.168.1.1

   svc dns-server secondary 192.168.1.2

   citrix enabled

virtual-template 1

default-group-policy policy1

aaa authentication list webvpn

gateway vpn

authentication certificate

username-prefill

ca trustpoint root-ca

user-profile location flash0:/userprof

inservice

!

crypto pki trustpoint root-ca

enrollment terminal

revocation-check none

rsakeypair root-ca

!

I imported certificate from pkcs12 with CA certificate.

From my debug (this is happend then i try to access to my webvpn portal and I choose my certificate from MS CS for access)

Jun  5 11:22:39: WV: validated_tp :  cert_username :  matched_ctx :

Jun  5 11:22:39: WV: failed to get sslvpn appinfo from opssl

Jun  5 11:22:39: WV: failed to get sslvpn appinfo from opssl

Jun  5 11:22:39: WV: Error: No certificate validated for the client

Can anybody explain me why it doesn't work?

1 person had this problem
Labels:
0 Helpful
Who Me Too'd this topic