Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1159
Views
5
Helpful
2
Replies

AnyConnect SSL-client Certificate AND AAA RADIUS

rtjensen4
Level 4
Level 4

‎03-06-2012 08:59 AM - edited ‎02-21-2020 05:56 PM

Hi All,

I'm trying to setup Anyconnect VPN Phone feature. I have the license, and I have been able to get the phone to authenticate / register etc with a username / password.

I want to use the cert on the phone, use the CN as the username and just verify that against my ACS server via RADIUS.... Easier said than done. The ASA is grabbing the Username, but for the life of me, i can't get it to send the username over to the RADIUS server. I have enabled all sorts of aaa and radius debugging and just get no output at all...

Here are some relevant log messages I'm getting:

Starting SSL handshake with client outside:72.91.xx.xx/42501 for TLSv1 session

Certificate was successfully validated. serial number: 5C7DB8EB000000xxxxxx, subject name:  cn=CP-7942G-SEP002155551BD7,ou=EVVBU,o=Cisco Systems Inc..

Certificate chain was successfully validated with warning, revocation status was not checked.

Tunnel group search using certificate maps failed for peer certificate:  serial number: 5C7DB8EB000000xxxxxx, subject name:  cn=CP-7942G-SEP002155551BD7,ou=EVVBU,o=Cisco Systems Inc., issuer_name:  cn=Cisco Manufacturing CA,o=Cisco Systems.

Device completed SSL handshake with client outside:72.91.xx.xx/42501

Group SSLClientProfile: Authenticating ssl-client connection from  72.91.14.42 with username, CP-7942G-SEP002155551BD7, from client  certificate

Teardown TCP connection 35754 for outside:72.91.xx.xx/42501 to  identity:173.227.xxx.xxx/443 duration 0:00:05 bytes 5473 TCP Reset by  appliance

Relevant Config:

tunnel-group SSLClientProfile type remote-access

tunnel-group SSLClientProfile general-attributes

authentication-server-group RADIUS

default-group-policy GroupPolicy1

tunnel-group SSLClientProfile webvpn-attributes

authentication aaa certificate

radius-reject-message

pre-fill-username ssl-client

group-alias SSLClientProfile enable

group-url https://URL enable

group-policy GroupPolicy1 internal

group-policy GroupPolicy1 attributes

wins-server none

dns-server value <ip1> <ip2>

vpn-tunnel-protocol ssl-client

default-domain value xxxxxxxx

address-pools value VPNPOOL

aaa-server RADIUS protocol radius

aaa-server RADIUS (inside) host 192.168.102.242

key *****

aaa-server RADIUS (inside) host 192.168.240.242

key *****

ASA version 8.4

What am I doing wrong? It will not send the request to the AAA server, very much frustating me...

Labels:
0 Helpful
2 Replies 2

rtjensen4
Level 4
Level 4

‎03-06-2012 09:22 AM

PRogress....

I changed the authentication to Certificate ONLY and set authorization to be RADIUS... now it's sending the request to my ACS server. Next question: What's the password that's being sent? Is it blank? I've tried the phone's whole username, tried the MAC and tried just the SEP part. No Dice. Thoughts?

0 Helpful

rtjensen4
Level 4
Level 4

‎03-06-2012 11:11 AM

Winning!

So apparently the username = password in this case...

Customers Also Viewed These Support Documents