Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1252
Views
0
Helpful
5
Replies

authentication aaa certificate question

TCAM
Level 1
Level 1

‎03-15-2013 06:25 AM

I have tunnel-group configured with "authentication aaa certificate", when Client is trying connected and failed due to "No valid certificate available for authentication", I would expect the connection will be terminated but for some reasons it gives you a second chance and asks to enter AAA credentials.  Is that a normal fallback behavior?  How to stop ASA to give a second chance in this scenario?

Thanks

Labels:
0 Helpful
5 Replies 5

Javier Portuguez
Level 9
Level 9

‎03-15-2013 06:35 AM

Hi Joe,

It sounds interesting.

Could you please attach the following outputs?

1- debug crypto ca 255

2- debug aaa common 255

3- show run tunnel-group your-tunnel-group

*All this during a connection attempt.

Portu.

0 Helpful

TCAM
Level 1
Level 1
In response to Javier Portuguez

‎03-15-2013 07:29 AM

Thanks for taking time to look into it Portu!

Here is the tunnel-group config

sh run tunnel-group  USERTunnelGroup

tunnel-group USERTunnelGroup type remote-access

tunnel-group USERTunnelGroup general-attributes

address-pool USERDHCPPool1

authentication-server-group SSL-VPN

default-group-policy USERGP

tunnel-group USERTunnelGroup webvpn-attributes

customization USERCustom

authentication aaa certificate

group-alias /USERTunnelGroup disable

group-alias USERTunnelGroup disable

group-alias Full_Tunnel disable

group-alias WIndows7_MAC disable

group-url enable

See attachment for debug outputs.

Here is the group-policy:

sh run group-policy USERGP

group-policy USERGP internal

group-policy USERGP attributes

wins-server value

dns-server value

vpn-access-hours none

vpn-simultaneous-logins 3

vpn-idle-timeout 45

vpn-session-timeout none

vpn-filter none

ipv6-vpn-filter none

vpn-tunnel-protocol ssl-client ssl-clientless

split-tunnel-policy tunnelall

split-tunnel-network-list none

default-domain value

vlan none

nac-settings none

smartcard-removal-disconnect enable

webvpn

  url-list value USER

  filter none

  homepage none

  anyconnect ssl dtls enable

  anyconnect mtu 1406

  anyconnect firewall-rule client-interface public none

  anyconnect firewall-rule client-interface private none

  anyconnect keep-installer installed

  anyconnect ssl keepalive 20

  anyconnect ssl rekey time none

  anyconnect ssl rekey method none

  anyconnect dpd-interval client 10

  anyconnect dpd-interval gateway 10

  anyconnect ssl compression deflate

  anyconnect profiles value USERVPNCLient type user

  anyconnect ask none default webvpn

  customization value USERCustom

  activex-relay enable

  url-entry enable

  smart-tunnel auto-signon disable

  anyconnect ssl df-bit-ignore disable

  always-on-vpn profile-settingup enable

15356478-Debug outputs.txt.zip
0 Helpful

TCAM
Level 1
Level 1
In response to TCAM

‎03-15-2013 09:13 AM

Hi Portu, please take a look when you have a chance.  Thanks Joe

0 Helpful

Javier Portuguez
Level 9
Level 9
In response to TCAM

‎03-15-2013 09:18 AM

Sure thing

0 Helpful

Javier Portuguez
Level 9
Level 9
In response to TCAM

‎03-17-2013 12:01 PM

Could you please provide the following debugs, during a connection attempt?

debug crypto ca 255

debug aaa common 255

Thanks

0 Helpful
Customers Also Viewed These Support Documents