Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1985
Views
0
Helpful
5
Replies

WebVPN on IOS and Client Side Certificate-Based Authentication

nunovaz
Level 1
Level 1

‎09-13-2010 11:18 AM

Hi there,

I have successfully configured WebVPN using client side certificate-based authentication and AAA. But when i use the username-prefill command, I always get "login" as the username. How can I configure the IOS to get the UPN from the certificate?

Thanks.

Nuno Vaz

Labels:
0 Helpful
5 Replies 5

Todd Pula
Level 7
Level 7

‎09-13-2010 12:11 PM

What version of code are you testing with?

0 Helpful

nunovaz
Level 1
Level 1
In response to Todd Pula

‎09-14-2010 01:38 AM

I'm using IOS Version 15.0(1)M3

0 Helpful

nunovaz
Level 1
Level 1

‎11-14-2010 09:13 AM

I upgraded the IOS to version 15.0(1)M3 and the problem remains the same.

After choosing the certificate to use, in the WebVpn login page the username field is lock and empty. I enter the password for the user in the certificate and get this debug:

*Nov 14 16:48:51.183: CRYPTO_PKI: Adding peer certificate
*Nov 14 16:48:51.187: CRYPTO_PKI: Check for identical certs
*Nov 14 16:48:51.187: CRYPTO_PKI: Create a list of suitable trustpoints
*Nov 14 16:48:51.187: CRYPTO_PKI: Suitable trustpoints are: ************,
*Nov 14 16:48:51.187: CRYPTO_PKI: Attempting to validate certificate using ***************
*Nov 14 16:48:51.203: CRYPTO_PKI: Certificate is verified
*Nov 14 16:48:51.203: CRYPTO_PKI: Checking certificate revocation
*Nov 14 16:48:51.215: CRYPTO_PKI: Certificate validation succeeded PASSING appctx is [0x***************
*Nov 14 16:49:05.711: AAA/AUTHEN/LOGIN (00000000): Pick method list '***************'
*Nov 14 16:49:05.711: WV-AAA: AAA authentication request sent for user: "Login"
*Nov 14 16:49:07.715: WV-AAA: AAA Authentication Failed!AAA authentication request sent for user: "Login"


The username of the user isn't "Login". Where is the IOS getting this value from?

In Cisco ASA there is a command that allows you to choose the certificate field to be used as username. Is any command for this on IOS ?

Can anybody help me ?

Thanks in advance.

0 Helpful

aranyushkin
Level 1
Level 1
In response to nunovaz

‎06-29-2012 04:41 PM

I have the same issue if I use together these both commands "authentication certificate aaa" and "username-prefill"

I run IOS version 15.1(3)T1

Btw, Certificate-Only Authentication and Authorization Mode also doesn't work, because the router can't take "cert_username" from a certificate. It always appear as empty in debug:

002542: Jun 30 03:32:01.622 MSK: WV: validated_tp :  cert_username :  matched_ctx :

002543: Jun 30 03:32:01.622 MSK: WV: Received appinfo

validated_tp : corpca, matched_ctx : ,cert_username :

002544: Jun 30 03:32:01.622 MSK: WV: Trustpoint match successful

002545: Jun 30 03:32:01.622 MSK: WV: Extracted username:  pass: ?

Anybody has working client certificate authentication on IOS routers?

0 Helpful

xinwan2
Level 1
Level 1
In response to aranyushkin

‎05-25-2015 11:53 PM

You can add configuration like  "authorization username subjectname commonname" for the trustpoint used for authenticating client cert.

0 Helpful
Customers Also Viewed These Support Documents