cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1396
Views
0
Helpful
8
Replies

3745 + WebVPN (SSL VPN) + RADIUS

dmitri_vilesov
Level 1
Level 1

Hallo All!

1) I have 3745 and i'm configuring webVPN. Everything works fine, but i have a new task. I have 2 different policy groups on the 3745 fo SSL VPN (webVPN) - policy_1 and policy_2. 3745 checks users credentials on the RADIUS server (Microsoft IAS). My task is to configure RADIUS server to send attribute (with group name, for example policy_2) to 3745 to put user in the specific group policy, depending on RADIUS and AD policies. How can i do it? I have already tried to configure Class Atribute (number 25) with this "OU=policy_2;" , but it's not working. What could be the solution?

By the way i have found this links, but they are useless:

http://www.cisco.com/en/US/partner/products/ps6441/products_feature_guide09186a00805eeaea.html#wp1055019

http://forum.cisco.com/eforum/servlet/NetProf;jsessionid=D65895FAC04F9F15B364AE2BB606582F.SJ1A;jsessionid=D65895FAC04F9F15B364AE2BB606582F.SJ1A?page=netprof&forum=Security&topic=Firewalling&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%...

2) How can i disable pop-up window (see attached image)& it pop-ups after i enter my username and password for logging in webVPN!

Thnx in advance!

8 Replies 8

kevinsoliz
Level 1
Level 1

Unfortunately I dont have an answer for you concerning your question but maybe you can help me with something...

I have an 1811 also doing WebVPN with the RADIUS/IAS solution. I also have an IPSEC policy using the same authentication but on the WebVPN I keep getting errors about the self-signed certificate. I can login into the WebVPN but when its gets to verifying the digital cert it errors out even after I import it. Did you have this issue? I'm thinking I have to have a real cert signed by a trusted authority, is that correct?

Thanks,

Kevin Soliz

Hallo kevinsoliz, unfortunalety i can't help you. Right now i'm using IOS self-signed certificate. Also i have our CA certificate installed on the router, but webVPN doesn't work with it (i don't know why? 8-)

Hi Dmitri, i had the issue of having a CA certificate not working on my router with webvpn.

It was fixed for me by:

* changing the router hostname and domain-name to match the certificate;

* confirm that the router date and time settings were correct;

* using SDM 2.4, i generated a new CSR for the CA certificate, using the same CA details (has to be same FQDN);

* then i got the certificate re-issued and installed it onto the router using SDM.

Using the SDM wizard, i had to first install the CA root certificate, then the router certificate. Now i don't get any certificate warnings when i login :-)

I hope that this helps.

Hallo! Thank you for your reply! Can you define more exactly which request you entered on the CA? SDM generates request without such things as (----BEGIN REQUEST---- and ----END REQUEST----). Have you entered it? And what kind of certificate do you choose? (i have tried to choose Router offline certificate request)

Thnx in advance!

Hi - I can't remember all the steps, but here goes.

When i used the SDM, i went into configuration / VPN / VPN Components / Public Key Infrastructure / Certificate Enrollment section.

I chose the Cut-and-Paste Certificate Wizard and went through it to generate a CSR which i sent off to my CA (Equifax) who sent me back the ----BEGIN REQUEST --- info.

I also exported my CA's certificate as a base64 .cep file by opening up IE and under the tools / internet options / content tab / certificates button / trusted root certification authorities tab, and selecting my CA and exporting it to a local drive.

I ran again the cut-and-paste certificate wizard to finish off the enrollment using my router certificate (the ----BEGIN REQUEST --- info) as well as the .cep file for my CA.

My config looks like this:

crypto pki trustpoint SSLCert

enrollment terminal

serial-number none

fqdn xxx.abc.com

ip-address none

password 7 xxxxxxxxxxxxxxx

subject-name O=companyname, CN=xxx.abc.com, C=GB, E=qwerty@email.com

revocation-check crl

rsakeypair SDM-RSAKey-46456567778

crypto pki certificate chain SSLCert

certificate 598743 nvram:EquifaxSecur#27B3.cer

I hope that this helps,

Hi Kevin,

Have you got a loopback adapter on your router with an IP address set within the address range pool that you have assigned to your webvpn clients?

I saw this solution in a another post and it worked for me.

Good luck...

Really, thats all there was to it?

I'll give that a shot, I currently don't have a loopback interface configured.

Hot damn dude, you were right :-)

configured a loopback in the same address space for the VPN and vola, connection!

I assume this works because there wasnt a routed interface configured for the VPN users. When I originally setup the IPSEC stuff I just created a permit list via an ACL to define the network, a simple class C.

I'm thinking about redoing it and creating a proper VPN DHCP pool with a routed interface then ACLing it off.

I don't think I'd need the loopback if I went that route... What do you think?

Thanks again.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: