Re: 3745 + WebVPN (SSL VPN) + RADIUS

dmitri_vilesov · ‎05-22-2007

Hallo All!

1) I have 3745 and i'm configuring webVPN. Everything works fine, but i have a new task. I have 2 different policy groups on the 3745 fo SSL VPN (webVPN) - policy_1 and policy_2. 3745 checks users credentials on the RADIUS server (Microsoft IAS). My task is to configure RADIUS server to send attribute (with group name, for example policy_2) to 3745 to put user in the specific group policy, depending on RADIUS and AD policies. How can i do it? I have already tried to configure Class Atribute (number 25) with this "OU=policy_2;" , but it's not working. What could be the solution?

By the way i have found this links, but they are useless:

http://www.cisco.com/en/US/partner/products/ps6441/products_feature_guide09186a00805eeaea.html#wp1055019

http://forum.cisco.com/eforum/servlet/NetProf;jsessionid=D65895FAC04F9F15B364AE2BB606582F.SJ1A;jsessionid=D65895FAC04F9F15B364AE2BB606582F.SJ1A?page=netprof&forum=Security&topic=Firewalling&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%...

2) How can i disable pop-up window (see attached image)& it pop-ups after i enter my username and password for logging in webVPN!

Thnx in advance!

kevinsoliz · ‎05-27-2007

Unfortunately I dont have an answer for you concerning your question but maybe you can help me with something...

I have an 1811 also doing WebVPN with the RADIUS/IAS solution. I also have an IPSEC policy using the same authentication but on the WebVPN I keep getting errors about the self-signed certificate. I can login into the WebVPN but when its gets to verifying the digital cert it errors out even after I import it. Did you have this issue? I'm thinking I have to have a real cert signed by a trusted authority, is that correct?

Thanks,

Kevin Soliz

dmitri_vilesov · ‎05-30-2007

Hallo kevinsoliz, unfortunalety i can't help you. Right now i'm using IOS self-signed certificate. Also i have our CA certificate installed on the router, but webVPN doesn't work with it (i don't know why? 8-)

colin-turner · ‎06-08-2007

Hi Dmitri, i had the issue of having a CA certificate not working on my router with webvpn.

It was fixed for me by:

* changing the router hostname and domain-name to match the certificate;

* confirm that the router date and time settings were correct;

* using SDM 2.4, i generated a new CSR for the CA certificate, using the same CA details (has to be same FQDN);

* then i got the certificate re-issued and installed it onto the router using SDM.

Using the SDM wizard, i had to first install the CA root certificate, then the router certificate. Now i don't get any certificate warnings when i login :-)

I hope that this helps.

dmitri_vilesov · ‎07-10-2007

Hallo! Thank you for your reply! Can you define more exactly which request you entered on the CA? SDM generates request without such things as (----BEGIN REQUEST---- and ----END REQUEST----). Have you entered it? And what kind of certificate do you choose? (i have tried to choose Router offline certificate request)

Thnx in advance!

colin-turner · ‎07-18-2007

Hi - I can't remember all the steps, but here goes.

When i used the SDM, i went into configuration / VPN / VPN Components / Public Key Infrastructure / Certificate Enrollment section.

I chose the Cut-and-Paste Certificate Wizard and went through it to generate a CSR which i sent off to my CA (Equifax) who sent me back the ----BEGIN REQUEST --- info.

I also exported my CA's certificate as a base64 .cep file by opening up IE and under the tools / internet options / content tab / certificates button / trusted root certification authorities tab, and selecting my CA and exporting it to a local drive.

I ran again the cut-and-paste certificate wizard to finish off the enrollment using my router certificate (the ----BEGIN REQUEST --- info) as well as the .cep file for my CA.

My config looks like this:

crypto pki trustpoint SSLCert

enrollment terminal

serial-number none

fqdn xxx.abc.com

ip-address none

password 7 xxxxxxxxxxxxxxx

subject-name O=companyname, CN=xxx.abc.com, C=GB, E=qwerty@email.com

revocation-check crl

rsakeypair SDM-RSAKey-46456567778

crypto pki certificate chain SSLCert

certificate 598743 nvram:EquifaxSecur#27B3.cer

I hope that this helps,

colin-turner · ‎06-08-2007

Hi Kevin,

Have you got a loopback adapter on your router with an IP address set within the address range pool that you have assigned to your webvpn clients?

I saw this solution in a another post and it worked for me.

Good luck...

kevinsoliz · ‎06-08-2007

Really, thats all there was to it?

I'll give that a shot, I currently don't have a loopback interface configured.

kevinsoliz · ‎06-24-2007

Hot damn dude, you were right :-)

configured a loopback in the same address space for the VPN and vola, connection!

I assume this works because there wasnt a routed interface configured for the VPN users. When I originally setup the IPSEC stuff I just created a permit list via an ACL to define the network, a simple class C.

I'm thinking about redoing it and creating a proper VPN DHCP pool with a routed interface then ACLing it off.

I don't think I'd need the loopback if I went that route... What do you think?

Thanks again.