SSL VPN AAA trouble with IOS 12.4(18)

Unanswered Question
Sep 7th, 2008

The trouble is with authentication. Cisco changed whole command syntax in recent IOS versions, so there is NO "webvpn context" subconfig modes and commands anymore. Almost every document I found on Cisco site references the old command structure and is useless for my IOS version.

The main point is that I haven't found single command that configures webvpn authentication, be it AAA or local. The site does open, but I cannot log in. Regarding this, here are the lines that appear in router log. BTW, it is 2811 with advanced security IOS.

AAA/AUTHEN/LOGIN (00000000): Pick method list 'Permanent Local'

SSLVPN: User: SOMEUSER password: ******* is sent to AAA for authentication

SSLVPN: AAA Authentication Failed !

I have Cisco ACS configured and working in my network, but I can't configure the router to work with it.

Here is the config:

webvpn enable gateway-addr x.x.x.x

webvpn

ssl encryption 3des-sha1

ssl trustpoint TP-self-signed-417989771

title "Welcome..."

login-message "login please..."

url-list URL_list

heading "some urls"

url-text "some url" url-value some-server

This is enough for webvpn site to come up. But authentication won't work. Look at the commands available in webvpn subconfig mode:

RTinternet(config)#webvpn

RTinternet(config-webvpn)#?

SSLVPN Submode commands:

exit Exit from SSLVPN mode

idle-timeout Idle timeout in seconds

login-message Login messsage to be displayed

logo Logo file to be displayed

no Negate or set default values of a command

port-forward Port forwarding

secondary-color Secondary color for the browser

secondary-text-color Secondary text color for the browser

session-timeout Session timeout in seconds

ssl SSL related configuration

text-color Text color for the browser

title Title to be displayed on the browser

title-color Title color for the browser

url-list URL list configuration submode

There is no authentication command whatsoever. IN earlier IOS version, when one enters webvpn context subconfig mode, there is a command "aaa authentication ..." and everything is easy to configure.

It seems that IOS is trying to find a method list configured for webvpn, but it cannot find one, so it goes for default "permanent local" - as it is stated in router log.

Any help is appreciated - I am trying for days to solve the problem, even asked some other Cisco guys, but noone knows this new IOS syntax.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marwan ALshawi Mon, 09/08/2008 - 02:31

do u have:

(config)# webvpn context SecureMeContext

(config-webvpn-context)# aaa authentication list sslvpn

(config-webvpn-context)# gateway SecureMeGW domain securemeinc

(config-webvpn-context)# inservice

(config-webvpn-context)# max-users 100

Bojan Zivancevic Mon, 09/08/2008 - 02:47

No, as I said in my first post, there is no such command in this IOS version. You can't enter "webvpn context" command at all. Look:

RTinternet(config)#webvpn ?

enable Enable webvpn

You just write "webvpn", hit "enter" and you are in webvpn config mode:

RTinternet(config)#webvpn

RTinternet(config-webvpn)#

Once you are in there, there is no command related to authentication. Check my first post, you will see what commands are available.

I think you are using a IOS version that does not support webvpn. I deployed the IOS anyconnect SSL vpn on the VERY LATEST IOS last week;

!

aaa new-model

!

!

aaa authentication login default local line

aaa authorization network defaultvpn local

!

!

ip local pool sslvpnpool 10.1.30.50 10.1.30.100

!

!

webvpn gateway company

hostname company_RTR_1

ip address 64.12.220.210 port 443

http-redirect port 80

ssl encryption 3des-sha1 aes-sha1

ssl trustpoint TP-self-signed-1602173945

logging enable

inservice

!

webvpn install svc flash:/webvpn/svc_1.pkg sequence 1

!

webvpn context company-context

title "company Capital Secure Portal: Unathorized Access Prohibited"

ssl authenticate verify all

!

login-message "This is a secure system, unauthorized access prohibited"

!

policy group company-policy

functions svc-required

banner "Login Successful"

hide-url-bar

timeout idle 1800

timeout session 86400

filter tunnel sslvpnsplit

svc address-pool "sslvpnpool"

svc default-domain "company.local"

svc keep-client-installed

svc dpd-interval gateway 30

svc rekey time 28800

svc rekey method new-tunnel

default-group-policy company-policy

aaa authentication list default

aaa authorization list defaultvpn

gateway company

max-users 25

logging enable

inservice

Bojan Zivancevic Mon, 09/08/2008 - 06:55

@everyone who replied

After reading these posts and few chapters from various books, I found out that every time the default AAA method list was used for login authentication. I didn't have this command on my router, because I was using several named lists for various puprposes. When I entered

aaa authentication login default group someACSgroup local

login started to work!

Basically, the problem appeared because there is no command (or I haven't found it) for picking up specific named AAA method list - the router is using the default one.

So, either this is a bug, or some kind of a strange IOS developer logic, or I am still missing something out...

@joe

Can you tell me what IOS version do you have? You know, I tried again to enter "webvpn context" and "webvpn install" commands, and it just doesn't understand them. My IOS is ADVSEC, now webvpn works, but these commands don't. I don't have "inservice" command either. Webvpn starts to work just after typing "webvpn enable" and there is no need ofr inservice command.

Thanks anyway for the help guys!

Actions

This Discussion