The trouble is with authentication. Cisco changed whole command syntax in recent IOS versions, so there is NO "webvpn context" subconfig modes and commands anymore. Almost every document I found on Cisco site references the old command structure and is useless for my IOS version.
The main point is that I haven't found single command that configures webvpn authentication, be it AAA or local. The site does open, but I cannot log in. Regarding this, here are the lines that appear in router log. BTW, it is 2811 with advanced security IOS.
AAA/AUTHEN/LOGIN (00000000): Pick method list 'Permanent Local'
SSLVPN: User: SOMEUSER password: ******* is sent to AAA for authentication
SSLVPN: AAA Authentication Failed !
I have Cisco ACS configured and working in my network, but I can't configure the router to work with it.
Here is the config:
webvpn enable gateway-addr x.x.x.x
ssl encryption 3des-sha1
ssl trustpoint TP-self-signed-417989771
login-message "login please..."
heading "some urls"
url-text "some url" url-value some-server
This is enough for webvpn site to come up. But authentication won't work. Look at the commands available in webvpn subconfig mode:
SSLVPN Submode commands:
exit Exit from SSLVPN mode
idle-timeout Idle timeout in seconds
login-message Login messsage to be displayed
logo Logo file to be displayed
no Negate or set default values of a command
port-forward Port forwarding
secondary-color Secondary color for the browser
secondary-text-color Secondary text color for the browser
session-timeout Session timeout in seconds
ssl SSL related configuration
text-color Text color for the browser
title Title to be displayed on the browser
title-color Title color for the browser
url-list URL list configuration submode
There is no authentication command whatsoever. IN earlier IOS version, when one enters webvpn context subconfig mode, there is a command "aaa authentication ..." and everything is easy to configure.
It seems that IOS is trying to find a method list configured for webvpn, but it cannot find one, so it goes for default "permanent local" - as it is stated in router log.
Any help is appreciated - I am trying for days to solve the problem, even asked some other Cisco guys, but noone knows this new IOS syntax.
After reading these posts and few chapters from various books, I found out that every time the default AAA method list was used for login authentication. I didn't have this command on my router, because I was using several named lists for various puprposes. When I entered
aaa authentication login default group someACSgroup local
login started to work!
Basically, the problem appeared because there is no command (or I haven't found it) for picking up specific named AAA method list - the router is using the default one.
So, either this is a bug, or some kind of a strange IOS developer logic, or I am still missing something out...
Can you tell me what IOS version do you have? You know, I tried again to enter "webvpn context" and "webvpn install" commands, and it just doesn't understand them. My IOS is ADVSEC, now webvpn works, but these commands don't. I don't have "inservice" command either. Webvpn starts to work just after typing "webvpn enable" and there is no need ofr inservice command.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...