09-13-2010 11:18 AM
Hi there,
I have successfully configured WebVPN using client side certificate-based authentication and AAA. But when i use the username-prefill command, I always get "login" as the username. How can I configure the IOS to get the UPN from the certificate?
Thanks.
Nuno Vaz
09-13-2010 12:11 PM
What version of code are you testing with?
09-14-2010 01:38 AM
I'm using IOS Version 15.0(1)M3
11-14-2010 09:13 AM
I upgraded the IOS to version 15.0(1)M3 and the problem remains the same.
After choosing the certificate to use, in the WebVpn login page the username field is lock and empty. I enter the password for the user in the certificate and get this debug:
*Nov 14 16:48:51.183: CRYPTO_PKI: Adding peer certificate
*Nov 14 16:48:51.187: CRYPTO_PKI: Check for identical certs
*Nov 14 16:48:51.187: CRYPTO_PKI: Create a list of suitable trustpoints
*Nov 14 16:48:51.187: CRYPTO_PKI: Suitable trustpoints are: ************,
*Nov 14 16:48:51.187: CRYPTO_PKI: Attempting to validate certificate using ***************
*Nov 14 16:48:51.203: CRYPTO_PKI: Certificate is verified
*Nov 14 16:48:51.203: CRYPTO_PKI: Checking certificate revocation
*Nov 14 16:48:51.215: CRYPTO_PKI: Certificate validation succeeded PASSING appctx is [0x***************
*Nov 14 16:49:05.711: AAA/AUTHEN/LOGIN (00000000): Pick method list '***************'
*Nov 14 16:49:05.711: WV-AAA: AAA authentication request sent for user: "Login"
*Nov 14 16:49:07.715: WV-AAA: AAA Authentication Failed!AAA authentication request sent for user: "Login"
The username of the user isn't "Login". Where is the IOS getting this value from?
In Cisco ASA there is a command that allows you to choose the certificate field to be used as username. Is any command for this on IOS ?
Can anybody help me ?
Thanks in advance.
06-29-2012 04:41 PM
I have the same issue if I use together these both commands "authentication certificate aaa" and "username-prefill"
I run IOS version 15.1(3)T1
Btw, Certificate-Only Authentication and Authorization Mode also doesn't work, because the router can't take "cert_username" from a certificate. It always appear as empty in debug:
002542: Jun 30 03:32:01.622 MSK: WV: validated_tp : cert_username : matched_ctx :
002543: Jun 30 03:32:01.622 MSK: WV: Received appinfo
validated_tp : corpca, matched_ctx : ,cert_username :
002544: Jun 30 03:32:01.622 MSK: WV: Trustpoint match successful
002545: Jun 30 03:32:01.622 MSK: WV: Extracted username: pass: ?
Anybody has working client certificate authentication on IOS routers?
05-25-2015 11:53 PM
You can add configuration like "authorization username subjectname commonname" for the trustpoint used for authenticating client cert.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: