Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2377
Views
0
Helpful
3
Replies

IP Phone SSL VPN through ASA

Go to solution
fgasimzade
Level 4
Level 4

‎02-16-2011 08:07 AM

Im in the middle of configuring Ip Phone SSL VPN through ASA, got stuck on authentication.. When I enter username and password on the phone screen, i get "Username and password failed" message on the screen. However, in ASA logs I see the following line

Feb 16 2011    15:12:57    725002    85.132.43.67    52684            Device completed SSL handshake with client vpn:85.132.*.*/52684

Feb 16 2011    15:17:26    725007    85.132.43.67    52745            SSL session with client vpn:85.132.*.*/52745 terminated.

What does it mean?  How can I turn on debugging to see what is going on?

Thank you in advance!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jeffrey Schutt
Cisco Employee
Cisco Employee

‎03-07-2011 09:01 AM

Hi,

If you're not using certificates in client authentication then the SSL handshake will complete before the user is requested to authenticate with username/password.  If this authentication request fails you will see the SSL session terminated immediately following this failure (as in the logs you provided).  Notice the 5 seconds between the SSL session establishment and termination, this is most likely when the user is being authenticated against the aaa server.  If the phone is failing authentication against an external aaa-server you'll want to investigate the logs on that server to determine the root cause of the failure.  The ASA can also provide confirmation of the authentication request/reject with the command 'show aaa-server'.  If you want to see what's going on at an authentication protocol level you can enable several debugs including "debug aaa authentication|common|internal' and protocol specific debugs such as 'debug radius user|session|all' or 'debug ldap'.

Did this answer your question? If so, please mark it Answered!

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jeffrey Schutt
Cisco Employee
Cisco Employee

‎03-07-2011 09:01 AM

Hi,

If you're not using certificates in client authentication then the SSL handshake will complete before the user is requested to authenticate with username/password.  If this authentication request fails you will see the SSL session terminated immediately following this failure (as in the logs you provided).  Notice the 5 seconds between the SSL session establishment and termination, this is most likely when the user is being authenticated against the aaa server.  If the phone is failing authentication against an external aaa-server you'll want to investigate the logs on that server to determine the root cause of the failure.  The ASA can also provide confirmation of the authentication request/reject with the command 'show aaa-server'.  If you want to see what's going on at an authentication protocol level you can enable several debugs including "debug aaa authentication|common|internal' and protocol specific debugs such as 'debug radius user|session|all' or 'debug ldap'.

Did this answer your question? If so, please mark it Answered!

0 Helpful

Go to solution
fgasimzade
Level 4
Level 4
In response to Jeffrey Schutt

‎03-09-2011 06:06 AM

Thank you Jeffrey, I already managed to solve it myself, thank you anyway!

0 Helpful

Go to solution
resolveits
Level 1
Level 1
In response to fgasimzade

‎06-18-2012 04:23 AM

Hi,

I am having the same issue with IP SSL VPN phone and I cannot locate the error, can anyone please assist. When logging into ASA from IP Phone the error "Usernane and Password Failed" keeps in coming up.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents