Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4991
Views
0
Helpful
4
Replies

SSLVPN with iPhone Anyconnect and Cisco IOS Router, Certificate Authentication failed

r.rung
Level 1
Level 1

‎11-19-2011 02:00 PM - edited ‎02-21-2020 05:43 PM

Hello,

i have a problem regarding the authentication with a certificate from the iPhone Anyconnect 2.5 Client to a 1802 Cisco Router.

Cisco 1802 Router:

Cisco IOS Software, C180X Software (C180X-ADVENTERPRISEK9-M), Version 15.1(1)T, RELEASE SOFTWARE (fc1)

First i configured SSLVPN with username and password, in this configuration the Anyconnect Client of my iPhone works.

then i enrolled a certificate from my Windows 2008 R2 CA to the Router with the Attributes: Server Authentication and IPSEC

and i enrolled a certificate for my iPhone with Client Authentication and IPSEC

after a bunch of time ( i realy could not find a really good documentation on how to do this) i got it done, in the webvpn context configuration i made this changes here:

no aaa authentication list default

authentication certificate

ca trustpoint CA

as the "SSL VPN Configuration Guide, Cisco IOS Release 15.1M&T" says: if i want only certificate authentication i had to user the "authentication certificate" command and thats it.

as i look into the debugs it seems to me that the Router accepts the certificate of the iPhone, but then i receive a window on the iphone that wants an additional username and password authentication, and no matter what i enter there's always the same dialog coming back..

any ideas what the problem could be???

here is the configuration:

webvpn gateway WEBVPN_GW_OFFICE2

ip interface Dialer0 port 1444

ssl trustpoint CA

inservice

webvpn install svc flash:/webvpn/sslclient-win-1.1.4.179.pkg sequence 1

!

webvpn install svc flash:/webvpn/anyconnect-win-3.0.4235-k9.pkg sequence 2

!

webvpn install svc flash:/webvpn/anyconnect-dart-win-2.5.3055-k9.pkg sequence 3

webvpn context WEBVPN_CONTEXT2

secondary-color white

title-color #669999

text-color black

ssl authenticate verify all

!

!

policy group WEBVPN_POLICY2

   functions svc-enabled

   mask-urls

   svc address-pool "SSLVPN_OFFICE1"

   svc default-domain "domain.internal"

   svc keep-client-installed

   svc split include 192.168.0.0 255.255.0.0

   svc dns-server primary 192.168.53.33

   svc dns-server secondary 192.168.53.35

virtual-template 3

default-group-policy WEBVPN_POLICY2

gateway WEBVPN_GW_OFFICE2

authentication certificate

ca trustpoint CA

inservice

here is the debug:

OfficeRouter1# PASSING appctx is [0x89FAFFCC]

Nov 19 22:39:53.507: WV: sslvpn process rcvd context queue event

Nov 19 22:39:53.507: WV: sslvpn process rcvd context queue event

Nov 19 22:39:53.607: WV: sslvpn process rcvd context queue event

Nov 19 22:39:53.607: WV: Entering APPL with Context: 0x86529380,

      Data buffer(buffer: 0x86543A40, data: 0x15A07AB8, len: 469,

      offset: 0, domain: 0)

Nov 19 22:39:53.607: WV: http request: / with no cookie

Nov 19 22:39:53.607: WV: validated_tp : CA cert_username :  matched_ctx :

Nov 19 22:39:53.607: WV: Received appinfo

validated_tp : CA, matched_ctx : ,cert_username :

Nov 19 22:39:53.607: WV: Trustpoint match successful

Nov 19 22:39:53.607: WV: Extracted username:  pass: ?

Nov 19 22:39:53.607: WV: Client side Chunk data written..

buffer=0x86543640 total_len=661 bytes=661 tcb=0x8811FE60

Nov 19 22:39:53.607: WV: Appl. processing Failed : 2

Nov 19 22:39:53.607: WV: sslvpn process rcvd context queue event

BueroRouter1# PASSING appctx is [0x89FAEEC4]

Nov 19 22:40:24.028: WV: sslvpn process rcvd context queue event

Nov 19 22:40:24.032: WV: sslvpn process rcvd context queue event

Nov 19 22:40:24.132: WV: sslvpn process rcvd context queue event

Nov 19 22:40:24.132: WV: Entering APPL with Context: 0x86529380,

      Data buffer(buffer: 0x86543A40, data: 0x160C4038, len: 469,

      offset: 0, domain: 0)

Nov 19 22:40:24.132: WV: http request: / with no cookie

Nov 19 22:40:24.132: WV: validated_tp : CA cert_username :  matched_ctx :

Nov 19 22:40:24.132: WV: Received appinfo

validated_tp : CA, matched_ctx : ,cert_username :

Nov 19 22:40:24.132: WV: Trustpoint match successful

Nov 19 22:40:24.132: WV: Extracted username:  pass: ?

Nov 19 22:40:24.132: WV: Client side Chunk data written..

buffer=0x86543640 total_len=661 bytes=661 tcb=0x88D11EEC

Nov 19 22:40:24.136: WV: Appl. processing Failed : 2

Nov 19 22:40:24.136: WV: sslvpn process rcvd context queue event

Nov 19 22:40:39.764: WV: sslvpn process rcvd context queue event

Nov 19 22:40:39.880: WV: sslvpn process rcvd context queue event

Nov 19 22:40:39.892: WV: sslvpn process rcvd context queue event

Nov 19 22:40:39.892: WV: Entering APPL with Context: 0x86529380,

      Data buffer(buffer: 0x86543A40, data: 0x1616FD38, len: 610,

      offset: 0, domain: 0)

Nov 19 22:40:39.892: WV: http request: /webvpn.html with domain cookie

Nov 19 22:40:39.892: WV: validated_tp :  cert_username :  matched_ctx :

Nov 19 22:40:39.892: WV: Received appinfo

validated_tp : CA, matched_ctx : ,cert_username :

Nov 19 22:40:39.892: WV: Trustpoint match successful

Nov 19 22:40:39.892: WV: Client side Chunk data written..

buffer=0x86543640 total_len=607 bytes=607 tcb=0x88D11EEC

Nov 19 22:40:39.892: WV: Appl. processing Failed : 2

Nov 19 22:40:39.892: WV: sslvpn process rcvd context queue event

Labels:
0 Helpful
4 Replies 4

r.rung
Level 1
Level 1

‎11-19-2011 02:30 PM

i also tried to export my user Certificate from my windows 7 and importet it to the iphone: same result

and i tried IOS Version 15.1(3)T2.

here is the same behavior, BUT: if i enter a correct username and password which is configured locally on the router, then i get "Connected".

but i can't use this IOS because of another bug, and my aim is to find a solution where i don't need an additional username and password...

0 Helpful

r.rung
Level 1
Level 1
In response to ppanya_007

‎04-23-2012 11:48 PM

Hello Marwan,

as it seems to be not supported i stopped working on that,

i'm sorry.

0 Helpful

Marwan Urabi
Level 1
Level 1

‎04-03-2012 04:46 PM

hi,

are you found soluwtion for your problem , i have same issue , i hope you found it, if yes can you help me and post your config example and what requirement shoud i have it to make certificate in windows 7.

Thank you,

Best Regards

Marwan Urabi

0 Helpful
Customers Also Viewed These Support Documents