cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1218
Views
0
Helpful
3
Replies

Cisco CSR 1000v Anyconnect SSL VPN setup issues

Hi all,

I'm looking for help on getting Anyconnect SSL VPN setup on a CSR 1000v running IOS XE v3.13.01S. There is an abundance of info on the webvpn style SSL VPN setup but very little on the "crypto ssl" XE SSL VPN style setups.

I have been working mostly from http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_sslvpn/configuration/xe-3s/sec-conn-sslvpn-xe-3s-book.html

I have configured the router with the commands in the attached file config.txt, when I connect using Anyconnect I see the user authenticate however the user is denied access to the tunnel :

csr1000v_3-13-3#debug crypto ssl aaa 
csr1000v_3-13-3#debug crypto ssl tunnel 
Crypto SSL Tunnel debugging is on
csr1000v_3-13-3#                        
csr1000v_3-13-3#
csr1000v_3-13-3#
*Nov  9 20:15:03.692: CRYPTO-SSL-AAA: Nas Port ID set to 192.168.100.10.
*Nov  9 20:15:03.692: CRYPTO-SSL-AAA: AAA authentication request sent for user: "test_user"
*Nov  9 20:15:03.693: CRYPTO-SSL-AAA: AAA Authentication Passed!
*Nov  9 20:15:03.693: %SSLVPN-5-LOGIN_AUTH_PASSED: vw_ctx: sslvpn-profile vw_gw: sslvpn-policy remote_ip: 192.168.100.10 user_name: test_user, Authentication successful, user logged in
*Nov  9 20:15:03.693: CRYPTO-SSL-AAA: User "test_user" has logged in from "192.168.100.10" to gateway "sslvpn-policy" 
             context "sslvpn-profile"
*Nov  9 20:15:04.029: 
*Nov  9 20:15:04.029: 
*Nov  9 20:15:04.029: [CRYPTO-SSL-TUNL-EVT]:[7FD0806E48E0] CSTP Version recd , using 1
*Nov  9 20:15:04.029: [CRYPTO-SSL-TUNL-ERR]:[7FD0806E48E0] Full Tunnel CONNECT request failed, Sending error
*Nov  9 20:15:04.029: HTTP/1.1 401 Unauthorized
*Nov  9 20:15:04.029: 
*Nov  9 20:15:04.030: 
*Nov  9 20:15:04.030: 
*Nov  9 20:15:04.030: [CRYPTO-SSL-TUNL-ERR]:[7FD0806E48E0] User test_user not authorized to access Full tunnel
*Nov  9 20:15:06.089: HTTP/1.1 200 OK
*Nov  9 20:15:06.089: Content-Type: text/html
*Nov  9 20:15:06.089: Content-Length: 0
*Nov  9 20:15:06.089: Cache-Control: no-cache
*Nov  9 20:15:06.090: Connection: Keep-Alive
*Nov  9 20:15:06.090: Date: Sun, 09 Nov 2014 20:15:06 GMT
*Nov  9 20:15:06.090: X-Aggregate-Auth: 1
*Nov  9 20:15:06.090: 
*Nov  9 20:15:06.090: 

 

Checking the config I notice however I have matched the policy and configured a ssl authorization policy:

csr1000v_3-13-3#sh run | sec crypto ssl profile
crypto ssl profile sslvpn-profile 
 match policy sslvpn-policy 
 aaa authentication list AAA_SSLVPN_LIST 
 authentication remote user-credentials 
 virtual-template 1
 !Profile Incomplete (MUST have a policy matched and ssl authorization policy configured)
csr1000v_3-13-3#

Any tips would be must appreciated!

3 Replies 3

NewlinkSupport
Level 1
Level 1

I assume you already fixed this but I see you're missing the "aaa authorization" command within the profile... something like:

crypto ssl profile sslvpn-profile
aaa authorization group user-pass list AAA_SSL_VPN sslvpn-policy

hannes1967
Level 1
Level 1

I have the same problem!

any solutions?

michal-miac
Level 1
Level 1

Hi cco@bulletproof.net.au,
the solution for me was this config:

aaa new-model
aaa authentication login sslvpn local
aaa authorization network sslvpn local
username Anyconnect password Anyconnect123

The game changer was: aaa authorization network sslvpn local
Cheers!