cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
406
Views
0
Helpful
5
Replies
Highlighted
Beginner

FlexVPN, IOS-CA, Anyconnect, ISR4221,16.4.2, LocalAuthentication

Hi,

 

I have been trying to setup AnyConnect IPSEC with IKEv2 without external RADIUS but without success.

ISR4221 will be acting as GW for users as well IOS-CA (to enroll certs).

Cert has been imported under personal cert on client.

EKU is activated.

Config in attached file + debug.

Thanks for your help.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
VIP Mentor

Hi @kamil.swedrak 

Authentication is failing, it looks like your computer has another user certificate (with what looks to be your real name and fqdn) this is sent to the router, which is why it's failing, as it is issued by another untrusted CA. Trying configuring the AnyConnect profile, use the profile editor to specify the certificate or disable automatic certificate selection.

 

HTH

View solution in original post

5 REPLIES 5
Highlighted
VIP Mentor

Hi @kamil.swedrak 

Authentication is failing, it looks like your computer has another user certificate (with what looks to be your real name and fqdn) this is sent to the router, which is why it's failing, as it is issued by another untrusted CA. Trying configuring the AnyConnect profile, use the profile editor to specify the certificate or disable automatic certificate selection.

 

HTH

View solution in original post

Highlighted

Hi Rob, thanks for quick reply!
Cert for PC was issued by internal IOS-CA and was exported as .pfx file.

Regarding AnyConnect profile - I don't have AnyConnect profile but I used following template:

 

?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/AnyConnectProfile.xsd">

<ServerList>
<HostEntry>
<HostName>Router-Hostname</HostName>
<HostAddress>PUBLIC_IP_ADDRESS </HostAddress>
<PrimaryProtocol>IPsec
<StandardAuthenticationOnly>true
<AuthMethodDuringIKENegotiation>IKE-RSA</AuthMethodDuringIKENegotiation>
</StandardAuthenticationOnly>
</PrimaryProtocol>
</HostEntry>
</ServerList>

</AnyConnectProfile>


 

Highlighted
VIP Mentor

Sure I understand that, have a look in your debug for the line starting - "Nov 19 10:43:15.562: CRYPTO_PKI: found UPN as .........." - your machine is attempting to use that certificate to authenticate with rather than the one you want.

Highlighted

You're right - I have tested multiple certs and that's why this line appeared.
How to force using only one certificate under XML profile?

Highlighted
Beginner

Issue was with my PC. I used other computer and client was able to connect.

Content for Community-Ad