ASA - WebVPN Client Certificate + AAA Authentication

Unanswered Question
Mar 26th, 2007


I am trying to configure WebVPN on an ASA to first authenticate a users client certificate and then perform AAA authentication using a username/password pair prior to granting WebVPN access.

Can anyone confirm whether this is possible ?

So far I have client certificate authentication working , however acces is grated without ever prompting for AAA credentials.

My AAA configuration is working correctly as I can successfully authenticate users for access using AAA if I disable client certificate authentication.

In my webvpn tunnel group I have WebVPN authentication selected for both certifcate and AAA.

When I attempt to connect it the user certificate is authenticated successfully howver the ASA appears to be submitting the CN from the cert to the AAA server for authentication rather than prompting for AAA credentials.

Any suggestions would be greatly appreaciated.

Many thanks


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
j-block Fri, 03/30/2007 - 10:35

If WebVPN tunnel-group is set for AAA+Certificate Authentication, the ASA will perform the certificate authentication but skip the followon AAA authenticaiton, and allow session to establish.

Refer this bug-id:CSCsh67971


This Discussion