cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
63523
Views
15
Helpful
8
Replies

AnyConnect - Web Authentication required (Router IOS + dual authentication Certificate and AAA)

maksimmentus
Level 1
Level 1

Hi everybody,

I am configuring WebVPN on Cisco Router 3925e with Certificate and AAA authentication.

Versions of software I use:

C3925e = c3900e-universalk9-mz.SPA.152-4.M5.bin

AnyConnect = anyconnect-win-3.1.05170

OS = Windows 7 SP1

Configuring WebVPN with certificate authentication was successful, but some problem is with Windows version of AnyConnect. When user try to connect, AnyConnect shows message like on the print screen:

User have to go to the web portal of WebVPN, pass authentication, press button START and only after that AnyConnect start connecting. This problem exist only if authentication with certificates is on and only with Windows version of AnyConnect. AnyConnect with certificate authentication on mobile devices works great.

All certificates are valid and trusted.

 

I have webvpn debug output – Output below is when anyconnect tell us about "web authentication":

.Jul 12 02:58:08.519: WV: sslvpn process rcvd context queue event

.Jul 12 02:58:08.519: WV: Entering APPL with Context: 0x25BE6658, 

      Data buffer(buffer: 0x26B38320, data: 0xC8F3798, len: 203, 

      offset: 0, domain: 0)

.Jul 12 02:58:08.519: WV: http request: / with no cookie

.Jul 12 02:58:08.519: WV: validated_tp :  cert_username :  matched_ctx : 

.Jul 12 02:58:08.519: WV: failed to get sslvpn appinfo from opssl


.Jul 12 02:58:08.519: WV: Error: No certificate validated for the client

.Jul 12 02:58:08.519: WV: Client side Chunk data written..

buffer=0x26B38420 total_len=408 bytes=408 tcb=0x29C907E8

.Jul 12 02:58:08.519: WV: sslvpn process rcvd context queue event

 

When I passed web authentication through web portal - connection was established successful , debug is next:

.Jul 12 03:21:52.089: WV: sslvpn process rcvd context queue event

.Jul 12 03:21:52.089: WV: Entering APPL with Context: 0x25BE6AD8, 

      Data buffer(buffer: 0x26B38320, data: 0xC83D798, len: 238, 

      offset: 0, domain: 0)

.Jul 12 03:21:52.089: WV: Fragmented App data - buffered

.Jul 12 03:21:52.089: WV: Entering APPL with Context: 0x25BE6AD8, 

      Data buffer(buffer: 0x26B38420, data: 0xC8E5418, len: 486, 

      offset: 0, domain: 0)

.Jul 12 03:21:52.089: WV: http request: / with no cookie

.Jul 12 03:21:52.089: WV: validated_tp : WEBVPN cert_username :  matched_ctx : 

.Jul 12 03:21:52.089: WV: Received appinfo 

validated_tp : WEBVPN, matched_ctx : ,cert_username : 

.Jul 12 03:21:52.089: WV: Trustpoint match successful

.Jul 12 03:21:52.089: WV: Client side Chunk data written..

buffer=0x26B38240 total_len=196 bytes=196 tcb=0x29924B98

 

Here I can provide you part of my WebVPN configuration:

crypto pki trustpoint FOR_WEB_AND_VPN
 enrollment terminal
 fqdn vpn.xxxxxxx.xx
 subject-name CN=vpn.xxxxxxx.xx
 revocation-check none
 rsakeypair ca.key
!
!
crypto vpn anyconnect flash0:/webvpn/anyconnect-win-3.1.05170-k9.pkg sequence 1
!
webvpn gateway WebVPN-clients
 ip interface GigabitEthernet0/0.90 port 443
 http-redirect port 80
 ssl encryption rc4-md5
 ssl trustpoint FOR_WEB_AND_VPN
 inservice
 !
webvpn context WebVPN
 title
 login-photo none
 vrf-name LAN
 aaa authentication list webvpn
 aaa accounting list webvpn
 gateway WebVPN-clients
 authentication certificate aaa
 ca trustpoint FOR_WEB_AND_VPN
 !
 ssl authenticate verify all
 inservice
 !
 policy group webvpnpolicy
   functions svc-enabled
   svc address-pool "webvpn-pool" netmask 255.255.255.0
   svc default-domain "domain.local"
   svc keep-client-installed
   svc split include 10.10.0.0 255.255.0.0
 default-group-policy webvpnpolicy
!

 

I have found post URL, author of that post have exactly the same issue as mine. I tried do all suggesions that was given there, but I still have same issue.

I really have no idea what`s wrong, and I hope that somebody help me find solution of this problem.

2 Accepted Solutions

Accepted Solutions

Marcin Latosiewicz
Cisco Employee
Cisco Employee

This could be matching: 

https://tools.cisco.com/bugsearch/bug/CSCul02984/?reffering_site=dumpcr

View solution in original post

That's how the folks in BU are numbering their internal releases. You need to find something that has build number higher than that (or wait until it appears). 

View solution in original post

8 Replies 8

Marcin Latosiewicz
Cisco Employee
Cisco Employee

This could be matching: 

https://tools.cisco.com/bugsearch/bug/CSCul02984/?reffering_site=dumpcr

Thank you for your answer Marcin,

I have tried anyconnect-win-3.0.08057 all works fine.

The bug report have information about fixed release:

Known Fixed Releases:
3.1(5178)

But that release does not exist :)

That's how the folks in BU are numbering their internal releases. You need to find something that has build number higher than that (or wait until it appears). 

Hello,

 

I had a similar problem but with a Cisco ASR 1006 and Flex VPN configuration. When I configured the "reconnect" option on the ASR, the AnyConnect software kept failing with Win7 (only Win7, I tested on MAC, Ubuntu and Win8 and everything was right with those). In some scenarios with a captive portal, I saw the "Web authentication required" message.

crypto ikev2 profile Perfil-IKEv2
 match identity remote key-id xxxxx
 identity local fqdn xxxxx
 authentication remote eap query-identity
 authentication local rsa-sig
 pki trustpoint xxxxx
 aaa authentication eap LoginPorRadius
 aaa authorization group eap list NetworkPorRadius name-mangler MANGLAR
 aaa authorization user eap cached
 aaa accounting eap AccountingPorRadius
 virtual-template 1
 reconnect timeout 1800
 

I tested AnyConnect versions 3.0.0, 3.0.1 and 3.1.0; all unsuccessfully. Today I finally succeded with AnyConnect version 4.0 on Win7.

 

I know it is not the same scenario, but it may be worth trying that version. It has been hard to find information about this error.

Regards.

Juan Jose Gaytan

Shcheveliev
Level 1
Level 1

Had this problem too. 

After some time of research was able to get it fixed. 

From Main window navigate to settings and check box next to Disable Captive Portal Detection. 

 

Hopefully this is helpful. 

Cisco anyconnect.jpg

Thanks. but why should disable captive portal detection?

This did not work for me sadly.

Correction. It worked. But after changing this setting, you need to restart AnyConnect. Thanks for the solution.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: