AnyConnect - Web Authentication required (Router IOS + dual authentication Certificate and AAA)
I am configuring WebVPN on Cisco Router 3925e with Certificate and AAA authentication.
Versions of software I use:
C3925e = c3900e-universalk9-mz.SPA.152-4.M5.bin
AnyConnect = anyconnect-win-3.1.05170
OS = Windows 7 SP1
Configuring WebVPN with certificate authentication was successful, but some problem is with Windows version of AnyConnect. When user try to connect, AnyConnect shows message like on the print screen:
User have to go to the web portal of WebVPN, pass authentication, press button START and only after that AnyConnect start connecting. This problem exist only if authentication with certificates is on and only with Windows version of AnyConnect. AnyConnect with certificate authentication on mobile devices works great.
All certificates are valid and trusted.
I have webvpn debug output – Output below is when anyconnect tell us about "web authentication":
.Jul 12 02:58:08.519: WV: sslvpn process rcvd context queue event.Jul 12 02:58:08.519: WV: Entering APPL with Context: 0x25BE6658, Data buffer(buffer: 0x26B38320, data: 0xC8F3798, len: 203, offset: 0, domain: 0).Jul 12 02:58:08.519: WV: http request: / with no cookie.Jul 12 02:58:08.519: WV: validated_tp : cert_username : matched_ctx : .Jul 12 02:58:08.519: WV: failed to get sslvpn appinfo from opssl.Jul 12 02:58:08.519: WV: Error: No certificate validated for the client.Jul 12 02:58:08.519: WV: Client side Chunk data written..buffer=0x26B38420 total_len=408 bytes=408 tcb=0x29C907E8.Jul 12 02:58:08.519: WV: sslvpn process rcvd context queue event
When I passed web authentication through web portal - connection was established successful , debug is next:
.Jul 12 03:21:52.089: WV: sslvpn process rcvd context queue event.Jul 12 03:21:52.089: WV: Entering APPL with Context: 0x25BE6AD8, Data buffer(buffer: 0x26B38320, data: 0xC83D798, len: 238, offset: 0, domain: 0).Jul 12 03:21:52.089: WV: Fragmented App data - buffered.Jul 12 03:21:52.089: WV: Entering APPL with Context: 0x25BE6AD8, Data buffer(buffer: 0x26B38420, data: 0xC8E5418, len: 486, offset: 0, domain: 0).Jul 12 03:21:52.089: WV: http request: / with no cookie.Jul 12 03:21:52.089: WV: validated_tp : WEBVPN cert_username : matched_ctx : .Jul 12 03:21:52.089: WV: Received appinfo validated_tp : WEBVPN, matched_ctx : ,cert_username : .Jul 12 03:21:52.089: WV: Trustpoint match successful.Jul 12 03:21:52.089: WV: Client side Chunk data written..buffer=0x26B38240 total_len=196 bytes=196 tcb=0x29924B98
Here I can provide you part of my WebVPN configuration:
crypto pki trustpoint FOR_WEB_AND_VPN
crypto vpn anyconnect flash0:/webvpn/anyconnect-win-3.1.05170-k9.pkg sequence 1
webvpn gateway WebVPN-clients
ip interface GigabitEthernet0/0.90 port 443
http-redirect port 80
ssl encryption rc4-md5
ssl trustpoint FOR_WEB_AND_VPN
webvpn context WebVPN
aaa authentication list webvpn
aaa accounting list webvpn
authentication certificate aaa
ca trustpoint FOR_WEB_AND_VPN
ssl authenticate verify all
policy group webvpnpolicy
svc address-pool "webvpn-pool" netmask 255.255.255.0
svc default-domain "domain.local"
svc split include 10.10.0.0 255.255.0.0
I have found post URL, author of that post have exactly the same issue as mine. I tried do all suggesions that was given there, but I still have same issue.
I really have no idea what`s wrong, and I hope that somebody help me find solution of this problem.
I had a similar problem but with a Cisco ASR 1006 and Flex VPN configuration. When I configured the "reconnect" option on the ASR, the AnyConnect software kept failing with Win7 (only Win7, I tested on MAC, Ubuntu and Win8 and everything was right with those). In some scenarios with a captive portal, I saw the "Web authentication required" message.
crypto ikev2 profile Perfil-IKEv2 match identity remote key-id xxxxx identity local fqdn xxxxx authentication remote eap query-identity authentication local rsa-sig pki trustpoint xxxxx aaa authentication eap LoginPorRadius aaa authorization group eap list NetworkPorRadius name-mangler MANGLAR aaa authorization user eap cached aaa accounting eap AccountingPorRadius virtual-template 1 reconnect timeout 1800
I tested AnyConnect versions 3.0.0, 3.0.1 and 3.1.0; all unsuccessfully. Today I finally succeded with AnyConnect version 4.0 on Win7.
I know it is not the same scenario, but it may be worth trying that version. It has been hard to find information about this error.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :