3745 + WebVPN (SSL VPN) + RADIUS

Unanswered Question
May 22nd, 2007
User Badges:

Hallo All!


1) I have 3745 and i'm configuring webVPN. Everything works fine, but i have a new task. I have 2 different policy groups on the 3745 fo SSL VPN (webVPN) - policy_1 and policy_2. 3745 checks users credentials on the RADIUS server (Microsoft IAS). My task is to configure RADIUS server to send attribute (with group name, for example policy_2) to 3745 to put user in the specific group policy, depending on RADIUS and AD policies. How can i do it? I have already tried to configure Class Atribute (number 25) with this "OU=policy_2;" , but it's not working. What could be the solution?


By the way i have found this links, but they are useless:



http://www.cisco.com/en/US/partner/products/ps6441/products_feature_guide09186a00805eeaea.html#wp1055019


http://forum.cisco.com/eforum/servlet/NetProf;jsessionid=D65895FAC04F9F15B364AE2BB606582F.SJ1A;jsessionid=D65895FAC04F9F15B364AE2BB606582F.SJ1A?page=netprof&forum=Security&topic=Firewalling&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1ddd91a9/2#selected_message


2) How can i disable pop-up window (see attached image)& it pop-ups after i enter my username and password for logging in webVPN!


Thnx in advance!




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
kevinsoliz Sun, 05/27/2007 - 12:30
User Badges:

Unfortunately I dont have an answer for you concerning your question but maybe you can help me with something...


I have an 1811 also doing WebVPN with the RADIUS/IAS solution. I also have an IPSEC policy using the same authentication but on the WebVPN I keep getting errors about the self-signed certificate. I can login into the WebVPN but when its gets to verifying the digital cert it errors out even after I import it. Did you have this issue? I'm thinking I have to have a real cert signed by a trusted authority, is that correct?


Thanks,

Kevin Soliz

dmitri_vilesov Wed, 05/30/2007 - 22:17
User Badges:

Hallo kevinsoliz, unfortunalety i can't help you. Right now i'm using IOS self-signed certificate. Also i have our CA certificate installed on the router, but webVPN doesn't work with it (i don't know why? 8-)



colin-turner Fri, 06/08/2007 - 06:02
User Badges:

Hi Dmitri, i had the issue of having a CA certificate not working on my router with webvpn.

It was fixed for me by:

* changing the router hostname and domain-name to match the certificate;

* confirm that the router date and time settings were correct;

* using SDM 2.4, i generated a new CSR for the CA certificate, using the same CA details (has to be same FQDN);

* then i got the certificate re-issued and installed it onto the router using SDM.


Using the SDM wizard, i had to first install the CA root certificate, then the router certificate. Now i don't get any certificate warnings when i login :-)


I hope that this helps.

dmitri_vilesov Tue, 07/10/2007 - 23:12
User Badges:

Hallo! Thank you for your reply! Can you define more exactly which request you entered on the CA? SDM generates request without such things as (----BEGIN REQUEST---- and ----END REQUEST----). Have you entered it? And what kind of certificate do you choose? (i have tried to choose Router offline certificate request)


Thnx in advance!

colin-turner Wed, 07/18/2007 - 03:35
User Badges:

Hi - I can't remember all the steps, but here goes.

When i used the SDM, i went into configuration / VPN / VPN Components / Public Key Infrastructure / Certificate Enrollment section.

I chose the Cut-and-Paste Certificate Wizard and went through it to generate a CSR which i sent off to my CA (Equifax) who sent me back the ----BEGIN REQUEST --- info.

I also exported my CA's certificate as a base64 .cep file by opening up IE and under the tools / internet options / content tab / certificates button / trusted root certification authorities tab, and selecting my CA and exporting it to a local drive.

I ran again the cut-and-paste certificate wizard to finish off the enrollment using my router certificate (the ----BEGIN REQUEST --- info) as well as the .cep file for my CA.


My config looks like this:

crypto pki trustpoint SSLCert

enrollment terminal

serial-number none

fqdn xxx.abc.com

ip-address none

password 7 xxxxxxxxxxxxxxx

subject-name O=companyname, CN=xxx.abc.com, C=GB, E=[email protected]

revocation-check crl

rsakeypair SDM-RSAKey-46456567778

crypto pki certificate chain SSLCert

certificate 598743 nvram:EquifaxSecur#27B3.cer


I hope that this helps,

colin-turner Fri, 06/08/2007 - 06:07
User Badges:

Hi Kevin,


Have you got a loopback adapter on your router with an IP address set within the address range pool that you have assigned to your webvpn clients?

I saw this solution in a another post and it worked for me.


Good luck...

kevinsoliz Fri, 06/08/2007 - 14:15
User Badges:

Really, thats all there was to it?


I'll give that a shot, I currently don't have a loopback interface configured.

kevinsoliz Sun, 06/24/2007 - 09:27
User Badges:

Hot damn dude, you were right :-)


configured a loopback in the same address space for the VPN and vola, connection!


I assume this works because there wasnt a routed interface configured for the VPN users. When I originally setup the IPSEC stuff I just created a permit list via an ACL to define the network, a simple class C.


I'm thinking about redoing it and creating a proper VPN DHCP pool with a routed interface then ACLing it off.


I don't think I'd need the loopback if I went that route... What do you think?


Thanks again.

Actions

This Discussion