cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1021
Views
0
Helpful
5
Replies

FlexVPN, IOS-CA, Anyconnect, ISR4221,16.4.2, LocalAuthentication

kamil.swedrak
Level 1
Level 1

Hi,

 

I have been trying to setup AnyConnect IPSEC with IKEv2 without external RADIUS but without success.

ISR4221 will be acting as GW for users as well IOS-CA (to enroll certs).

Cert has been imported under personal cert on client.

EKU is activated.

Config in attached file + debug.

Thanks for your help.

1 Accepted Solution

Accepted Solutions

Hi @kamil.swedrak 

Authentication is failing, it looks like your computer has another user certificate (with what looks to be your real name and fqdn) this is sent to the router, which is why it's failing, as it is issued by another untrusted CA. Trying configuring the AnyConnect profile, use the profile editor to specify the certificate or disable automatic certificate selection.

 

HTH

View solution in original post

5 Replies 5

Hi @kamil.swedrak 

Authentication is failing, it looks like your computer has another user certificate (with what looks to be your real name and fqdn) this is sent to the router, which is why it's failing, as it is issued by another untrusted CA. Trying configuring the AnyConnect profile, use the profile editor to specify the certificate or disable automatic certificate selection.

 

HTH

Hi Rob, thanks for quick reply!
Cert for PC was issued by internal IOS-CA and was exported as .pfx file.

Regarding AnyConnect profile - I don't have AnyConnect profile but I used following template:

 

?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/AnyConnectProfile.xsd">

<ServerList>
<HostEntry>
<HostName>Router-Hostname</HostName>
<HostAddress>PUBLIC_IP_ADDRESS </HostAddress>
<PrimaryProtocol>IPsec
<StandardAuthenticationOnly>true
<AuthMethodDuringIKENegotiation>IKE-RSA</AuthMethodDuringIKENegotiation>
</StandardAuthenticationOnly>
</PrimaryProtocol>
</HostEntry>
</ServerList>

</AnyConnectProfile>


 

Sure I understand that, have a look in your debug for the line starting - "Nov 19 10:43:15.562: CRYPTO_PKI: found UPN as .........." - your machine is attempting to use that certificate to authenticate with rather than the one you want.

You're right - I have tested multiple certs and that's why this line appeared.
How to force using only one certificate under XML profile?

kamil.swedrak
Level 1
Level 1

Issue was with my PC. I used other computer and client was able to connect.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: