Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1176
Views
0
Helpful
6
Replies

Anyconnect certificate authentication strange behavior

Shiyan Wang
Cisco Employee
Cisco Employee

‎02-01-2016 12:25 AM - edited ‎02-21-2020 08:39 PM

Dear Sir,

I use Cisco 3825 router and want to deploy Anyconnect to it. After I can successfully authenticate client by username and password, I am starting to investigate the certificate authentication way.

I meet a strange Anyconnect behavior on iPhone and Win7(I only have this two kind of devices): I deployed the client certificate to iPhone and delete any username/password on Cisco router. I try to connect and Anyconnect still ask for password. I just leave the password filed empty or input anything in the password. I click connect then the connection is successfully established.

Q: Why does Anyconnect ask for a useless password as I use certificate authenticaiton? How can I make anyconnect not ask for a useless password?

You can watch the iPhone screen video: https://supportforums.cisco.com/video/12865091/anyconnect-certificate-authentication-strange-behavior

My sh run is as below:(something is omitted)

!
aaa new-model
!
!
aaa authentication login default line
aaa authentication login webssl local
!
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-2997785603
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2997785603
revocation-check none
rsakeypair TP-self-signed-2997785603
!
crypto pki trustpoint WSY.TP
enrollment terminal
fqdn cisco.ftp.sh
subject-name CN=cisco.ftp.sh(something is deleted for privacy)
revocation-check none
rsakeypair WSYKEY
!
!
crypto pki certificate chain TP-self-signed-2997785603
(output omit)

crypto pki certificate chain WSY.TP
(output omit)

!
webvpn gateway TalGimani-Gateway
ip interface Dialer1 port 443
ssl encryption aes-sha1
ssl trustpoint WSY.TP
inservice
dtls port 9898
!
webvpn install svc flash:/webvpn/anyconnect-win-4.2.01035-k9.pkg sequence 1
!
webvpn context Tal-WebVPN
title "Tal Gimani - WebVPN"
ssl authenticate verify all
!
acl "webvpn-acl"
permit ip any any
!
!
policy group sslpolicy
functions svc-enabled
filter tunnel webvpn-acl
svc address-pool "SSLPool" netmask 255.255.255.0
svc keep-client-installed
svc rekey method new-tunnel
svc split include 10.0.0.0 255.0.0.0
svc dns-server primary x.x.x.x
svc dtls
default-group-policy sslpolicy
gateway TalGimani-Gateway
max-users 4
authentication certificate
ca trustpoint WSY.TP
inservice
!
end

ADSL#
ADSL#sh ver
(output omit)
System image file is "flash:c3825-adventerprisek9-mz.151-4.M10.bin"

Labels:
0 Helpful
6 Replies 6

Philip D'Ath
VIP Alumni
VIP Alumni

‎02-01-2016 12:41 AM

Does it work correctly when you authenticate using other devices, like a PC?

What version of software are you using on your 3825?

0 Helpful

Shiyan Wang
Cisco Employee
Cisco Employee
In response to Philip D'Ath

‎02-01-2016 12:52 AM

I import the client certificate to a WIN7 PC. Anyconnect still ask for a password. But empty password or any password will successfully authenticate. The VPN tunnel work correctly.

3825 software: c3825-adventerprisek9-mz.151-4.M10.bin

0 Helpful

Philip D'Ath
VIP Alumni
VIP Alumni
In response to Shiyan Wang

‎02-01-2016 01:02 AM

First top marks for running a gold star release of the IOS for that platform.  :-)

Nothing really stands out as wrong to me, so I took a look at this Cisco example:

http://www.cisco.com/c/en/us/support/docs/security/ios-sslvpn/116125-configure-SSLVPN-00.html

I notice it it does the authentication slightly different to you (using AAA).  Note the below lines in the config.  Perhaps try making your config more like the Cisco example.

aaa authentication list ClientAuth
authentication certificate aaa
0 Helpful

Shiyan Wang
Cisco Employee
Cisco Employee
In response to Philip D'Ath

‎02-01-2016 01:08 AM

OK. I will try a gold start release of IOS platform and report later.

The example,

authentication certificate aaa

means both Certificate and AAA based authentication mode.

I just want use Certificate authentication mode. So I think 

authentication certificate

is enough. right?

And I added the following line

aaa authentication list ClientAuth

Anyconnect still ask for a useless password.

0 Helpful

Philip D'Ath
VIP Alumni
VIP Alumni
In response to Shiyan Wang

‎02-01-2016 01:19 AM

If you were prepared to accept a degree of pain, and were running a newer router that can run 15.(4) code I would suggest you try using IKEv2 mode of AnyConnect.  I have done this and it works perfectly - no username prompts.  As a bonus, you can also go to uber strong Suite-B crypto.

http://www.ifm.net.nz/cookbooks/Cisco-IOS-router-IKEv2-AnyConnect-Suite-B-Crypto.html

0 Helpful

Shiyan Wang
Cisco Employee
Cisco Employee
In response to Philip D'Ath

‎02-01-2016 06:57 PM

After searching in Cisco website, current IOS version on 3825 is the latest gold start version.

15.1 is the latest version supported for 3825. :(

I will continue to find a solution for the strange issue.

0 Helpful
Customers Also Viewed These Support Documents