Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

ASA - pki authorization for Mobile Security 3


Part of my config:

aaa-server CSACS (inside) host

retry-interval 3

key XXX

radius-common-pw CISCO_SECRET

tunnel-group my-cert type remote-access

tunnel-group my-cert general-attributes

address-pool vpnasa-admins

authorization-server-group CSACS

accounting-server-group CSACS

default-group-policy mypolicy


username-from-certificate CN

tunnel-group my-cert webvpn-attributes

group-alias MYSSL2 enable

tunnel-group my-cert ipsec-attributes

trust-point MY

isakmp ikev1-user-authentication none

All cert users are mapped to my-cert tunnel-group using tunnel-group-map.

On ACS i have user_cert with password CISCO_SECRET.

1. For ipsec this tunnel-group works perfect - i just need to use client certificate in cisco ipsec vpn client

(i do not need to do any xauth - its disabled)

2. For Mobile Security 3.0 client this does not work, i've enabled in svc profile option to select appripriate client certificate.

When the client select certificate i receive window with Group/username/password and - whatever i type - it's failed

3. Mobile Security Client 3.0 works fine for other groups when using PSK instead of cert

4. Mobile Security Client 3.0 works fine for my-cert group when i add "authentication-server-group CSACS"

(in such case in ACS logs i have at the same time two successfull record: one for authentication and another for authorization)

Why option 2 is not working ?

Some logs:

Mar  7 14:19:32 asa1 Mar 07 2012 14:19:55 asa1 : %ASA-6-113015: AAA user authentication Rejected : reason = Invalid password : local database : user = user_cert

Mar  7 14:19:32 asa1 Mar 07 2012 14:19:55 asa1 : %ASA-6-716039: Group <DfltGrpPolicy> User <user_cert> IP <> Authentication: rejected, Session Type: WebVPN

It's like my connection is landing on DfltGrpPolicy, i guess MobileSecurity Client is not saying hello with certificate which is not mapped to my-cert group. But why ?

Thanx for any help

CreatePlease to create content