Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Bronze

AnyConnect SSL-client Certificate AND AAA RADIUS

Hi All,

I'm trying to setup Anyconnect VPN Phone feature. I have the license, and I have been able to get the phone to authenticate / register etc with a username / password.

I want to use the cert on the phone, use the CN as the username and just verify that against my ACS server via RADIUS.... Easier said than done. The ASA is grabbing the Username, but for the life of me, i can't get it to send the username over to the RADIUS server. I have enabled all sorts of aaa and radius debugging and just get no output at all...

Here are some relevant log messages I'm getting:

Starting SSL handshake with client outside:72.91.xx.xx/42501 for TLSv1 session

Certificate was successfully validated. serial number: 5C7DB8EB000000xxxxxx, subject name:  cn=CP-7942G-SEP002155551BD7,ou=EVVBU,o=Cisco Systems Inc..

Certificate chain was successfully validated with warning, revocation status was not checked.

Tunnel group search using certificate maps failed for peer certificate:  serial number: 5C7DB8EB000000xxxxxx, subject name:  cn=CP-7942G-SEP002155551BD7,ou=EVVBU,o=Cisco Systems Inc., issuer_name:  cn=Cisco Manufacturing CA,o=Cisco Systems.

Device completed SSL handshake with client outside:72.91.xx.xx/42501

Group SSLClientProfile: Authenticating ssl-client connection from  72.91.14.42 with username, CP-7942G-SEP002155551BD7, from client  certificate

Teardown TCP connection 35754 for outside:72.91.xx.xx/42501 to  identity:173.227.xxx.xxx/443 duration 0:00:05 bytes 5473 TCP Reset by  appliance

Relevant Config:

tunnel-group SSLClientProfile type remote-access

tunnel-group SSLClientProfile general-attributes

authentication-server-group RADIUS

default-group-policy GroupPolicy1

tunnel-group SSLClientProfile webvpn-attributes

authentication aaa certificate

radius-reject-message

pre-fill-username ssl-client

group-alias SSLClientProfile enable

group-url https://URL enable

group-policy GroupPolicy1 internal

group-policy GroupPolicy1 attributes

wins-server none

dns-server value <ip1> <ip2>

vpn-tunnel-protocol ssl-client

default-domain value xxxxxxxx

address-pools value VPNPOOL

aaa-server RADIUS protocol radius

aaa-server RADIUS (inside) host 192.168.102.242

key *****

aaa-server RADIUS (inside) host 192.168.240.242

key *****

ASA version 8.4

What am I doing wrong? It will not send the request to the AAA server, very much frustating me...

2 REPLIES
Bronze

AnyConnect SSL-client Certificate AND AAA RADIUS

PRogress....

I changed the authentication to Certificate ONLY and set authorization to be RADIUS... now it's sending the request to my ACS server. Next question: What's the password that's being sent? Is it blank? I've tried the phone's whole username, tried the MAC and tried just the SEP part. No Dice. Thoughts?

Bronze

AnyConnect SSL-client Certificate AND AAA RADIUS

Winning!

So apparently the username = password in this case...

658
Views
5
Helpful
2
Replies