WebVPN on IOS and Client Side Certificate-Based Authentication

Unanswered Question
Sep 13th, 2010

Hi there,

I have successfully configured WebVPN using client side certificate-based authentication and AAA. But when i use the username-prefill command, I always get "login" as the username. How can I configure the IOS to get the UPN from the certificate?


Nuno Vaz

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
nunovaz Sun, 11/14/2010 - 09:13

I upgraded the IOS to version 15.0(1)M3 and the problem remains the same.

After choosing the certificate to use, in the WebVpn login page the username field is lock and empty. I enter the password for the user in the certificate and get this debug:

*Nov 14 16:48:51.183: CRYPTO_PKI: Adding peer certificate
*Nov 14 16:48:51.187: CRYPTO_PKI: Check for identical certs
*Nov 14 16:48:51.187: CRYPTO_PKI: Create a list of suitable trustpoints
*Nov 14 16:48:51.187: CRYPTO_PKI: Suitable trustpoints are: ************,
*Nov 14 16:48:51.187: CRYPTO_PKI: Attempting to validate certificate using ***************
*Nov 14 16:48:51.203: CRYPTO_PKI: Certificate is verified
*Nov 14 16:48:51.203: CRYPTO_PKI: Checking certificate revocation
*Nov 14 16:48:51.215: CRYPTO_PKI: Certificate validation succeeded PASSING appctx is [0x***************
*Nov 14 16:49:05.711: AAA/AUTHEN/LOGIN (00000000): Pick method list '***************'
*Nov 14 16:49:05.711: WV-AAA: AAA authentication request sent for user: "Login"
*Nov 14 16:49:07.715: WV-AAA: AAA Authentication Failed!AAA authentication request sent for user: "Login"

The username of the user isn't "Login". Where is the IOS getting this value from?

In Cisco ASA there is a command that allows you to choose the certificate field to be used as username. Is any command for this on IOS ?

Can anybody help me ?

Thanks in advance.

aranyushkin Fri, 06/29/2012 - 16:41

I have the same issue if I use together these both commands "authentication certificate aaa" and "username-prefill"

I run IOS version 15.1(3)T1

Btw, Certificate-Only Authentication and Authorization Mode also doesn't work, because the router can't take "cert_username" from a certificate. It always appear as empty in debug:

002542: Jun 30 03:32:01.622 MSK: WV: validated_tp :  cert_username :  matched_ctx :

002543: Jun 30 03:32:01.622 MSK: WV: Received appinfo

validated_tp : corpca, matched_ctx : ,cert_username :

002544: Jun 30 03:32:01.622 MSK: WV: Trustpoint match successful

002545: Jun 30 03:32:01.622 MSK: WV: Extracted username:  pass: ?

Anybody has working client certificate authentication on IOS routers?

xinwan2 Mon, 05/25/2015 - 23:53

You can add configuration like  "authorization username subjectname commonname" for the trustpoint used for authenticating client cert.


This Discussion