Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Router WebVPN and client certificate

Hello!

In my test lab I can't to make work my webvpn configuration =\

I have several components: MS AD, MS CS (but without NDES), router 2911 and client computer. Client and router have a certificate from MS CS. In my configuration I use authentication by certificate or aaa (LDAP) and authentication by aaa working good. But authentication by client certificate doesn't work. And my internal https services don't work also -  "Invalid or no certificate", but this strange because I imported CA certificate for this.

Can you help me make it works?

My 2911 version:

Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.1(3)T, RELEASE SOFTWARE (fc1)

My Config:

aaa authentication login webvpn group ldap local

ip local pool webvpn 192.168.200.1 192.168.200.254

bind authenticate root-dn cn=webvpn,ou=staff,dc=domain,dc=com password P@ssw0rd

webvpn gateway vpn

ip address <ip address> port 4443

ssl trustpoint root-ca

inservice

!

webvpn install svc flash0:/webvpn/anyconnect-dart-win-2.5.3055-k9.pkg sequence 1

!

webvpn context employee

ssl authenticate verify all

!

login-message "VPN Portal"

!

policy group policy1

   url-list "inside"

   functions svc-enabled

   filter tunnel VPN-SPLIT

   svc address-pool "webvpn" netmask 255.255.255.0

   svc default-domain "domain.com"

   svc keep-client-installed

   svc split dns "domain.com"

   svc split include 192.168.0.0 255.255.0.0

   svc dns-server primary 192.168.1.1

   svc dns-server secondary 192.168.1.2

   citrix enabled

virtual-template 1

default-group-policy policy1

aaa authentication list webvpn

gateway vpn

authentication certificate

username-prefill

ca trustpoint root-ca

user-profile location flash0:/userprof

inservice

!

crypto pki trustpoint root-ca

enrollment terminal

revocation-check none

rsakeypair root-ca

!

I imported certificate from pkcs12 with CA certificate.

From my debug (this is happend then i try to access to my webvpn portal and I choose my certificate from MS CS for access)

Jun  5 11:22:39: WV: validated_tp :  cert_username :  matched_ctx :

Jun  5 11:22:39: WV: failed to get sslvpn appinfo from opssl

Jun  5 11:22:39: WV: failed to get sslvpn appinfo from opssl

Jun  5 11:22:39: WV: Error: No certificate validated for the client

Can anybody explain me why it doesn't work?

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Router WebVPN and client certificate

Solved by IOS upgrade - to version 15.2(4)M2.

Regards

3 REPLIES
New Member

Router WebVPN and client certificate

Hi,

did you find any solution for this? As I am in it seems the same situation now.

I am testing it with Cisco 2911 - IOS version 151-3.T4 and last anyconnect client for Android (Samsung Galaxy S III mobile)

Thanx for any advice/help

Pavel

New Member

Router WebVPN and client certificate

Hello!

Sorry, but i didn't find answer for this question...I use login/password authentication and anyconnect for my internal https sites.

New Member

Router WebVPN and client certificate

Solved by IOS upgrade - to version 15.2(4)M2.

Regards

2840
Views
0
Helpful
3
Replies
CreatePlease to create content