I am configuring WebVPN on Cisco Router 3925e with Certificate and AAA authentication.
Versions of software I use:
C3925e = c3900e-universalk9-mz.SPA.152-4.M5.bin
AnyConnect = anyconnect-win-3.1.05170
OS = Windows 7 SP1
Configuring WebVPN with certificate authentication was successful, but some problem is with Windows version of AnyConnect. When user try to connect, AnyConnect shows message like on the print screen:
User have to go to the web portal of WebVPN, pass authentication, press button START and only after that AnyConnect start connecting. This problem exist only if authentication with certificates is on and only with Windows version of AnyConnect. AnyConnect with certificate authentication on mobile devices works great.
All certificates are valid and trusted.
I have webvpn debug output – Output below is when anyconnect tell us about "web authentication":
.Jul 12 02:58:08.519: WV: sslvpn process rcvd context queue event .Jul 12 02:58:08.519: WV: Entering APPL with Context: 0x25BE6658, Data buffer(buffer: 0x26B38320, data: 0xC8F3798, len: 203, offset: 0, domain: 0) .Jul 12 02:58:08.519: WV: http request: / with no cookie .Jul 12 02:58:08.519: WV: validated_tp : cert_username : matched_ctx : .Jul 12 02:58:08.519: WV: failed to get sslvpn appinfo from opssl .Jul 12 02:58:08.519: WV: Error: No certificate validated for the client .Jul 12 02:58:08.519: WV: Client side Chunk data written.. buffer=0x26B38420 total_len=408 bytes=408 tcb=0x29C907E8 .Jul 12 02:58:08.519: WV: sslvpn process rcvd context queue event
When I passed web authentication through web portal - connection was established successful , debug is next:
.Jul 12 03:21:52.089: WV: sslvpn process rcvd context queue event .Jul 12 03:21:52.089: WV: Entering APPL with Context: 0x25BE6AD8, Data buffer(buffer: 0x26B38320, data: 0xC83D798, len: 238, offset: 0, domain: 0) .Jul 12 03:21:52.089: WV: Fragmented App data - buffered .Jul 12 03:21:52.089: WV: Entering APPL with Context: 0x25BE6AD8, Data buffer(buffer: 0x26B38420, data: 0xC8E5418, len: 486, offset: 0, domain: 0) .Jul 12 03:21:52.089: WV: http request: / with no cookie .Jul 12 03:21:52.089: WV: validated_tp : WEBVPN cert_username : matched_ctx : .Jul 12 03:21:52.089: WV: Received appinfo validated_tp : WEBVPN, matched_ctx : ,cert_username : .Jul 12 03:21:52.089: WV: Trustpoint match successful .Jul 12 03:21:52.089: WV: Client side Chunk data written.. buffer=0x26B38240 total_len=196 bytes=196 tcb=0x29924B98
Here I can provide you part of my WebVPN configuration:
crypto pki trustpoint FOR_WEB_AND_VPN enrollment terminal fqdn vpn.xxxxxxx.xx subject-name CN=vpn.xxxxxxx.xx revocation-check none rsakeypair ca.key ! ! crypto vpn anyconnect flash0:/webvpn/anyconnect-win-3.1.05170-k9.pkg sequence 1 ! webvpn gateway WebVPN-clients ip interface GigabitEthernet0/0.90 port 443 http-redirect port 80 ssl encryption rc4-md5 ssl trustpoint FOR_WEB_AND_VPN inservice ! webvpn context WebVPN title login-photo none vrf-name LAN aaa authentication list webvpn aaa accounting list webvpn gateway WebVPN-clients authentication certificate aaa ca trustpoint FOR_WEB_AND_VPN ! ssl authenticate verify all inservice ! policy group webvpnpolicy functions svc-enabled svc address-pool "webvpn-pool" netmask 255.255.255.0 svc default-domain "domain.local" svc keep-client-installed svc split include 10.10.0.0 255.255.0.0 default-group-policy webvpnpolicy !
I have found post URL, author of that post have exactly the same issue as mine. I tried do all suggesions that was given there, but I still have same issue.
I really have no idea what`s wrong, and I hope that somebody help me find solution of this problem.
Solved! Go to Solution.
I had a similar problem but with a Cisco ASR 1006 and Flex VPN configuration. When I configured the "reconnect" option on the ASR, the AnyConnect software kept failing with Win7 (only Win7, I tested on MAC, Ubuntu and Win8 and everything was right with those). In some scenarios with a captive portal, I saw the "Web authentication required" message.
crypto ikev2 profile Perfil-IKEv2
match identity remote key-id xxxxx
identity local fqdn xxxxx
authentication remote eap query-identity
authentication local rsa-sig
pki trustpoint xxxxx
aaa authentication eap LoginPorRadius
aaa authorization group eap list NetworkPorRadius name-mangler MANGLAR
aaa authorization user eap cached
aaa accounting eap AccountingPorRadius
reconnect timeout 1800
I tested AnyConnect versions 3.0.0, 3.0.1 and 3.1.0; all unsuccessfully. Today I finally succeded with AnyConnect version 4.0 on Win7.
I know it is not the same scenario, but it may be worth trying that version. It has been hard to find information about this error.
Juan Jose Gaytan