Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
650
Views
0
Helpful
7
Replies

WebVPN (SSL Clientless VPN) without certificates

s.nasheet
Level 1
Level 1

‎06-10-2013 03:45 PM

HI,

I have issues connecting to the webvpn as its asking for some certificate for authentication, I am using the self generated certificate, but when I try to connect to SSL gateway via its IP address , Browser expect me to provide the certificated, I  want to tell the  Browser to use the self generated certificate of ASA5505, but not sure how I do it.

I undestand when WEBVPN/SSL clientless VPN try to establish the VPN , ASA sends the certificate back to the browser to accept/authenticate it, but when I connect I don't get any certificate where I say YES to accept it.

Can I just disable certificate with SSL and just use  username/password to crater a WEBVPN ?

Can anyone please advise as I have read CISCO docs but still make SSL work.

Thanks

Salman

Labels:
0 Helpful
7 Replies 7

guibarati
Level 4
Level 4

‎06-11-2013 06:55 AM

What IOS version are you using?

0 Helpful

s.nasheet
Level 1
Level 1
In response to guibarati

‎06-11-2013 06:58 AM

ASA version 7.2 (on 5505 platform).

Thanks

Salman

0 Helpful

guibarati
Level 4
Level 4
In response to s.nasheet

‎06-11-2013 07:01 AM

Working sample.

Adjust necessary information and need no_nat acl:

crypto key generate rsa label sslvpnkeypair
!
crypto ca trustpoint localtrust
enrollment self
fqdn sslvpn.cisco.com
subject-name CN=sslvpn.cisco.com
keypair sslvpnkeypair
crypto ca enroll localtrust noconfirm
!
ssl trust-point localtrust outside
!
!
!
webvpn
svc image disk0:/anyconnect-win-2.0.0343-k9.pkg 1
!
!
webvpn
enable outside
svc enable
!
!
!
ip local pool SSLClientPool 10.100.25.128-10.100.25.254
!
!
!
group-policy SSLCLientPolicy internal
group-policy SSLCLientPolicy attributes
dns-server value 192.168.50.5
vpn-tunnel-protocol svc
default-domain value tsweb.local
address-pools value SSLClientPool
!
!
sysopt connection permit-vpn
!
!
tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
default-group-policy SSLCLientPolicy
tunnel-group SSLClientProfile webvpn-attributes
group-alias SSLVPNClient enable
!
!
webvpn
tunnel-group-list enable
!
!
nat (inside) 0 access-list no_nat
!
!
!
!
username abc password p@ssw0rd
username abc attributes
service-type remote-access
!
!

0 Helpful

guibarati
Level 4
Level 4
In response to guibarati

‎06-11-2013 07:03 AM

If yours look like this and still doesn't work, post your config with relevant information.

0 Helpful

s.nasheet
Level 1
Level 1
In response to guibarati

‎06-11-2013 07:07 AM

Thanks.

Is this config is for the webvpn ( clientless) solution ?

I just wantto enable Browser based SSL VPN to avoid  users to install VPN client on PC's.

Cheers

Salman

0 Helpful

guibarati
Level 4
Level 4
In response to s.nasheet

‎06-11-2013 07:12 AM

!!!!!From the script you only need this change:

webvpn

no svc enable (if your config already have this line. If not, you are good)

!!!!!also no need for:

webvpn
svc image disk0:/anyconnect-win-2.0.0343-k9.pkg 1

!!!!!and you need to use the correct protocol in:

group-policy SSLCLientPolicy attributes

vpn-tunnel-protocol ? (I don't know the protocol options for version 7.2. You need the option for webvpn)

0 Helpful

s.nasheet
Level 1
Level 1
In response to guibarati

‎06-11-2013 07:14 AM

OK thanks, let me try this , I will come back with the results.

Regards


Salman

0 Helpful
Customers Also Viewed These Support Documents