Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4943
Views
0
Helpful
3
Replies

Router WebVPN and client certificate

Go to solution
Sergey Yakovlev
Level 1
Level 1

‎06-04-2012 10:32 PM

Hello!

In my test lab I can't to make work my webvpn configuration =\

I have several components: MS AD, MS CS (but without NDES), router 2911 and client computer. Client and router have a certificate from MS CS. In my configuration I use authentication by certificate or aaa (LDAP) and authentication by aaa working good. But authentication by client certificate doesn't work. And my internal https services don't work also -  "Invalid or no certificate", but this strange because I imported CA certificate for this.

Can you help me make it works?

My 2911 version:

Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.1(3)T, RELEASE SOFTWARE (fc1)

My Config:

aaa authentication login webvpn group ldap local

ip local pool webvpn 192.168.200.1 192.168.200.254

bind authenticate root-dn cn=webvpn,ou=staff,dc=domain,dc=com password P@ssw0rd

webvpn gateway vpn

ip address <ip address> port 4443

ssl trustpoint root-ca

inservice

!

webvpn install svc flash0:/webvpn/anyconnect-dart-win-2.5.3055-k9.pkg sequence 1

!

webvpn context employee

ssl authenticate verify all

!

login-message "VPN Portal"

!

policy group policy1

   url-list "inside"

   functions svc-enabled

   filter tunnel VPN-SPLIT

   svc address-pool "webvpn" netmask 255.255.255.0

   svc default-domain "domain.com"

   svc keep-client-installed

   svc split dns "domain.com"

   svc split include 192.168.0.0 255.255.0.0

   svc dns-server primary 192.168.1.1

   svc dns-server secondary 192.168.1.2

   citrix enabled

virtual-template 1

default-group-policy policy1

aaa authentication list webvpn

gateway vpn

authentication certificate

username-prefill

ca trustpoint root-ca

user-profile location flash0:/userprof

inservice

!

crypto pki trustpoint root-ca

enrollment terminal

revocation-check none

rsakeypair root-ca

!

I imported certificate from pkcs12 with CA certificate.

From my debug (this is happend then i try to access to my webvpn portal and I choose my certificate from MS CS for access)

Jun  5 11:22:39: WV: validated_tp :  cert_username :  matched_ctx :

Jun  5 11:22:39: WV: failed to get sslvpn appinfo from opssl

Jun  5 11:22:39: WV: failed to get sslvpn appinfo from opssl

Jun  5 11:22:39: WV: Error: No certificate validated for the client

Can anybody explain me why it doesn't work?

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
pnavratil
Level 1
Level 1
In response to Sergey Yakovlev

‎11-16-2012 12:44 AM

Solved by IOS upgrade - to version 15.2(4)M2.

Regards

View solution in original post

0 Helpful
3 Replies 3

Go to solution
pnavratil
Level 1
Level 1

‎11-10-2012 09:49 AM

Hi,

did you find any solution for this? As I am in it seems the same situation now.

I am testing it with Cisco 2911 - IOS version 151-3.T4 and last anyconnect client for Android (Samsung Galaxy S III mobile)

Thanx for any advice/help

Pavel

0 Helpful

Go to solution
Sergey Yakovlev
Level 1
Level 1
In response to pnavratil

‎11-15-2012 09:02 PM

Hello!

Sorry, but i didn't find answer for this question...I use login/password authentication and anyconnect for my internal https sites.

0 Helpful

Go to solution
pnavratil
Level 1
Level 1
In response to Sergey Yakovlev

‎11-16-2012 12:44 AM

Solved by IOS upgrade - to version 15.2(4)M2.

Regards

0 Helpful
Customers Also Viewed These Support Documents