1) I have 3745 and i'm configuring webVPN. Everything works fine, but i have a new task. I have 2 different policy groups on the 3745 fo SSL VPN (webVPN) - policy_1 and policy_2. 3745 checks users credentials on the RADIUS server (Microsoft IAS). My task is to configure RADIUS server to send attribute (with group name, for example policy_2) to 3745 to put user in the specific group policy, depending on RADIUS and AD policies. How can i do it? I have already tried to configure Class Atribute (number 25) with this "OU=policy_2;" , but it's not working. What could be the solution?
By the way i have found this links, but they are useless:
2) How can i disable pop-up window (see attached image)& it pop-ups after i enter my username and password for logging in webVPN!
Thnx in advance!
Unfortunately I dont have an answer for you concerning your question but maybe you can help me with something...
I have an 1811 also doing WebVPN with the RADIUS/IAS solution. I also have an IPSEC policy using the same authentication but on the WebVPN I keep getting errors about the self-signed certificate. I can login into the WebVPN but when its gets to verifying the digital cert it errors out even after I import it. Did you have this issue? I'm thinking I have to have a real cert signed by a trusted authority, is that correct?
Hallo kevinsoliz, unfortunalety i can't help you. Right now i'm using IOS self-signed certificate. Also i have our CA certificate installed on the router, but webVPN doesn't work with it (i don't know why? 8-)
Hi Dmitri, i had the issue of having a CA certificate not working on my router with webvpn.
It was fixed for me by:
* changing the router hostname and domain-name to match the certificate;
* confirm that the router date and time settings were correct;
* using SDM 2.4, i generated a new CSR for the CA certificate, using the same CA details (has to be same FQDN);
* then i got the certificate re-issued and installed it onto the router using SDM.
Using the SDM wizard, i had to first install the CA root certificate, then the router certificate. Now i don't get any certificate warnings when i login :-)
I hope that this helps.
Hallo! Thank you for your reply! Can you define more exactly which request you entered on the CA? SDM generates request without such things as (----BEGIN REQUEST---- and ----END REQUEST----). Have you entered it? And what kind of certificate do you choose? (i have tried to choose Router offline certificate request)
Thnx in advance!
Hi - I can't remember all the steps, but here goes.
When i used the SDM, i went into configuration / VPN / VPN Components / Public Key Infrastructure / Certificate Enrollment section.
I chose the Cut-and-Paste Certificate Wizard and went through it to generate a CSR which i sent off to my CA (Equifax) who sent me back the ----BEGIN REQUEST --- info.
I also exported my CA's certificate as a base64 .cep file by opening up IE and under the tools / internet options / content tab / certificates button / trusted root certification authorities tab, and selecting my CA and exporting it to a local drive.
I ran again the cut-and-paste certificate wizard to finish off the enrollment using my router certificate (the ----BEGIN REQUEST --- info) as well as the .cep file for my CA.
My config looks like this:
crypto pki trustpoint SSLCert
password 7 xxxxxxxxxxxxxxx
subject-name O=companyname, CN=xxx.abc.com, C=GB, Eemail@example.com
crypto pki certificate chain SSLCert
certificate 598743 nvram:EquifaxSecur#27B3.cer
I hope that this helps,
Have you got a loopback adapter on your router with an IP address set within the address range pool that you have assigned to your webvpn clients?
I saw this solution in a another post and it worked for me.
Hot damn dude, you were right :-)
configured a loopback in the same address space for the VPN and vola, connection!
I assume this works because there wasnt a routed interface configured for the VPN users. When I originally setup the IPSEC stuff I just created a permit list via an ACL to define the network, a simple class C.
I'm thinking about redoing it and creating a proper VPN DHCP pool with a routed interface then ACLing it off.
I don't think I'd need the loopback if I went that route... What do you think?