SSL VPN AAA trouble with IOS 12.4(18)

Unanswered Question
Sep 7th, 2008
User Badges:

The trouble is with authentication. Cisco changed whole command syntax in recent IOS versions, so there is NO "webvpn context" subconfig modes and commands anymore. Almost every document I found on Cisco site references the old command structure and is useless for my IOS version.


The main point is that I haven't found single command that configures webvpn authentication, be it AAA or local. The site does open, but I cannot log in. Regarding this, here are the lines that appear in router log. BTW, it is 2811 with advanced security IOS.


AAA/AUTHEN/LOGIN (00000000): Pick method list 'Permanent Local'

SSLVPN: User: SOMEUSER password: ******* is sent to AAA for authentication

SSLVPN: AAA Authentication Failed !


I have Cisco ACS configured and working in my network, but I can't configure the router to work with it.


Here is the config:


webvpn enable gateway-addr x.x.x.x


webvpn

ssl encryption 3des-sha1

ssl trustpoint TP-self-signed-417989771

title "Welcome..."

login-message "login please..."

url-list URL_list

heading "some urls"

url-text "some url" url-value some-server


This is enough for webvpn site to come up. But authentication won't work. Look at the commands available in webvpn subconfig mode:


RTinternet(config)#webvpn

RTinternet(config-webvpn)#?

SSLVPN Submode commands:

exit Exit from SSLVPN mode

idle-timeout Idle timeout in seconds

login-message Login messsage to be displayed

logo Logo file to be displayed

no Negate or set default values of a command

port-forward Port forwarding

secondary-color Secondary color for the browser

secondary-text-color Secondary text color for the browser

session-timeout Session timeout in seconds

ssl SSL related configuration

text-color Text color for the browser

title Title to be displayed on the browser

title-color Title color for the browser

url-list URL list configuration submode


There is no authentication command whatsoever. IN earlier IOS version, when one enters webvpn context subconfig mode, there is a command "aaa authentication ..." and everything is easy to configure.


It seems that IOS is trying to find a method list configured for webvpn, but it cannot find one, so it goes for default "permanent local" - as it is stated in router log.


Any help is appreciated - I am trying for days to solve the problem, even asked some other Cisco guys, but noone knows this new IOS syntax.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marwan ALshawi Mon, 09/08/2008 - 02:31
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

do u have:

(config)# webvpn context SecureMeContext

(config-webvpn-context)# aaa authentication list sslvpn

(config-webvpn-context)# gateway SecureMeGW domain securemeinc

(config-webvpn-context)# inservice

(config-webvpn-context)# max-users 100



Bojan Zivancevic Mon, 09/08/2008 - 02:47
User Badges:

No, as I said in my first post, there is no such command in this IOS version. You can't enter "webvpn context" command at all. Look:


RTinternet(config)#webvpn ?

enable Enable webvpn


You just write "webvpn", hit "enter" and you are in webvpn config mode:


RTinternet(config)#webvpn

RTinternet(config-webvpn)#


Once you are in there, there is no command related to authentication. Check my first post, you will see what commands are available.



joe@affirmedsys... Mon, 09/08/2008 - 06:15
User Badges:
  • Bronze, 100 points or more

I think you are using a IOS version that does not support webvpn. I deployed the IOS anyconnect SSL vpn on the VERY LATEST IOS last week;


!

aaa new-model

!

!

aaa authentication login default local line

aaa authorization network defaultvpn local


!


!


ip local pool sslvpnpool 10.1.30.50 10.1.30.100


!

!

webvpn gateway company

hostname company_RTR_1

ip address 64.12.220.210 port 443

http-redirect port 80

ssl encryption 3des-sha1 aes-sha1

ssl trustpoint TP-self-signed-1602173945

logging enable

inservice

!

webvpn install svc flash:/webvpn/svc_1.pkg sequence 1

!

webvpn context company-context

title "company Capital Secure Portal: Unathorized Access Prohibited"

ssl authenticate verify all

!

login-message "This is a secure system, unauthorized access prohibited"

!

policy group company-policy

functions svc-required

banner "Login Successful"

hide-url-bar

timeout idle 1800

timeout session 86400

filter tunnel sslvpnsplit

svc address-pool "sslvpnpool"

svc default-domain "company.local"

svc keep-client-installed

svc dpd-interval gateway 30

svc rekey time 28800

svc rekey method new-tunnel

default-group-policy company-policy

aaa authentication list default

aaa authorization list defaultvpn

gateway company

max-users 25

logging enable

inservice

Bojan Zivancevic Mon, 09/08/2008 - 06:55
User Badges:

@everyone who replied


After reading these posts and few chapters from various books, I found out that every time the default AAA method list was used for login authentication. I didn't have this command on my router, because I was using several named lists for various puprposes. When I entered


aaa authentication login default group someACSgroup local


login started to work!


Basically, the problem appeared because there is no command (or I haven't found it) for picking up specific named AAA method list - the router is using the default one.


So, either this is a bug, or some kind of a strange IOS developer logic, or I am still missing something out...


@joe


Can you tell me what IOS version do you have? You know, I tried again to enter "webvpn context" and "webvpn install" commands, and it just doesn't understand them. My IOS is ADVSEC, now webvpn works, but these commands don't. I don't have "inservice" command either. Webvpn starts to work just after typing "webvpn enable" and there is no need ofr inservice command.


Thanks anyway for the help guys!

Actions

This Discussion