09-07-2008 11:49 PM
The trouble is with authentication. Cisco changed whole command syntax in recent IOS versions, so there is NO "webvpn context" subconfig modes and commands anymore. Almost every document I found on Cisco site references the old command structure and is useless for my IOS version.
The main point is that I haven't found single command that configures webvpn authentication, be it AAA or local. The site does open, but I cannot log in. Regarding this, here are the lines that appear in router log. BTW, it is 2811 with advanced security IOS.
AAA/AUTHEN/LOGIN (00000000): Pick method list 'Permanent Local'
SSLVPN: User: SOMEUSER password: ******* is sent to AAA for authentication
SSLVPN: AAA Authentication Failed !
I have Cisco ACS configured and working in my network, but I can't configure the router to work with it.
Here is the config:
webvpn enable gateway-addr x.x.x.x
webvpn
ssl encryption 3des-sha1
ssl trustpoint TP-self-signed-417989771
title "Welcome..."
login-message "login please..."
url-list URL_list
heading "some urls"
url-text "some url" url-value some-server
This is enough for webvpn site to come up. But authentication won't work. Look at the commands available in webvpn subconfig mode:
RTinternet(config)#webvpn
RTinternet(config-webvpn)#?
SSLVPN Submode commands:
exit Exit from SSLVPN mode
idle-timeout Idle timeout in seconds
login-message Login messsage to be displayed
logo Logo file to be displayed
no Negate or set default values of a command
port-forward Port forwarding
secondary-color Secondary color for the browser
secondary-text-color Secondary text color for the browser
session-timeout Session timeout in seconds
ssl SSL related configuration
text-color Text color for the browser
title Title to be displayed on the browser
title-color Title color for the browser
url-list URL list configuration submode
There is no authentication command whatsoever. IN earlier IOS version, when one enters webvpn context subconfig mode, there is a command "aaa authentication ..." and everything is easy to configure.
It seems that IOS is trying to find a method list configured for webvpn, but it cannot find one, so it goes for default "permanent local" - as it is stated in router log.
Any help is appreciated - I am trying for days to solve the problem, even asked some other Cisco guys, but noone knows this new IOS syntax.
09-08-2008 02:31 AM
do u have:
(config)# webvpn context SecureMeContext
(config-webvpn-context)# aaa authentication list sslvpn
(config-webvpn-context)# gateway SecureMeGW domain securemeinc
(config-webvpn-context)# inservice
(config-webvpn-context)# max-users 100
09-08-2008 02:47 AM
No, as I said in my first post, there is no such command in this IOS version. You can't enter "webvpn context" command at all. Look:
RTinternet(config)#webvpn ?
enable Enable webvpn
You just write "webvpn", hit "enter" and you are in webvpn config mode:
RTinternet(config)#webvpn
RTinternet(config-webvpn)#
Once you are in there, there is no command related to authentication. Check my first post, you will see what commands are available.
09-08-2008 06:15 AM
I think you are using a IOS version that does not support webvpn. I deployed the IOS anyconnect SSL vpn on the VERY LATEST IOS last week;
!
aaa new-model
!
!
aaa authentication login default local line
aaa authorization network defaultvpn local
!
!
ip local pool sslvpnpool 10.1.30.50 10.1.30.100
!
!
webvpn gateway company
hostname company_RTR_1
ip address 64.12.220.210 port 443
http-redirect port 80
ssl encryption 3des-sha1 aes-sha1
ssl trustpoint TP-self-signed-1602173945
logging enable
inservice
!
webvpn install svc flash:/webvpn/svc_1.pkg sequence 1
!
webvpn context company-context
title "company Capital Secure Portal: Unathorized Access Prohibited"
ssl authenticate verify all
!
login-message "This is a secure system, unauthorized access prohibited"
!
policy group company-policy
functions svc-required
banner "Login Successful"
hide-url-bar
timeout idle 1800
timeout session 86400
filter tunnel sslvpnsplit
svc address-pool "sslvpnpool"
svc default-domain "company.local"
svc keep-client-installed
svc dpd-interval gateway 30
svc rekey time 28800
svc rekey method new-tunnel
default-group-policy company-policy
aaa authentication list default
aaa authorization list defaultvpn
gateway company
max-users 25
logging enable
inservice
09-08-2008 06:55 AM
@everyone who replied
After reading these posts and few chapters from various books, I found out that every time the default AAA method list was used for login authentication. I didn't have this command on my router, because I was using several named lists for various puprposes. When I entered
aaa authentication login default group someACSgroup local
login started to work!
Basically, the problem appeared because there is no command (or I haven't found it) for picking up specific named AAA method list - the router is using the default one.
So, either this is a bug, or some kind of a strange IOS developer logic, or I am still missing something out...
@joe
Can you tell me what IOS version do you have? You know, I tried again to enter "webvpn context" and "webvpn install" commands, and it just doesn't understand them. My IOS is ADVSEC, now webvpn works, but these commands don't. I don't have "inservice" command either. Webvpn starts to work just after typing "webvpn enable" and there is no need ofr inservice command.
Thanks anyway for the help guys!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide