Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

SSL VPN AAA trouble with IOS 12.4(18)

The trouble is with authentication. Cisco changed whole command syntax in recent IOS versions, so there is NO "webvpn context" subconfig modes and commands anymore. Almost every document I found on Cisco site references the old command structure and is useless for my IOS version.

The main point is that I haven't found single command that configures webvpn authentication, be it AAA or local. The site does open, but I cannot log in. Regarding this, here are the lines that appear in router log. BTW, it is 2811 with advanced security IOS.

AAA/AUTHEN/LOGIN (00000000): Pick method list 'Permanent Local'

SSLVPN: User: SOMEUSER password: ******* is sent to AAA for authentication

SSLVPN: AAA Authentication Failed !

I have Cisco ACS configured and working in my network, but I can't configure the router to work with it.

Here is the config:

webvpn enable gateway-addr x.x.x.x


ssl encryption 3des-sha1

ssl trustpoint TP-self-signed-417989771

title "Welcome..."

login-message "login please..."

url-list URL_list

heading "some urls"

url-text "some url" url-value some-server

This is enough for webvpn site to come up. But authentication won't work. Look at the commands available in webvpn subconfig mode:



SSLVPN Submode commands:

exit Exit from SSLVPN mode

idle-timeout Idle timeout in seconds

login-message Login messsage to be displayed

logo Logo file to be displayed

no Negate or set default values of a command

port-forward Port forwarding

secondary-color Secondary color for the browser

secondary-text-color Secondary text color for the browser

session-timeout Session timeout in seconds

ssl SSL related configuration

text-color Text color for the browser

title Title to be displayed on the browser

title-color Title color for the browser

url-list URL list configuration submode

There is no authentication command whatsoever. IN earlier IOS version, when one enters webvpn context subconfig mode, there is a command "aaa authentication ..." and everything is easy to configure.

It seems that IOS is trying to find a method list configured for webvpn, but it cannot find one, so it goes for default "permanent local" - as it is stated in router log.

Any help is appreciated - I am trying for days to solve the problem, even asked some other Cisco guys, but noone knows this new IOS syntax.


Re: SSL VPN AAA trouble with IOS 12.4(18)

do u have:

(config)# webvpn context SecureMeContext

(config-webvpn-context)# aaa authentication list sslvpn

(config-webvpn-context)# gateway SecureMeGW domain securemeinc

(config-webvpn-context)# inservice

(config-webvpn-context)# max-users 100

New Member

Re: SSL VPN AAA trouble with IOS 12.4(18)

No, as I said in my first post, there is no such command in this IOS version. You can't enter "webvpn context" command at all. Look:

RTinternet(config)#webvpn ?

enable Enable webvpn

You just write "webvpn", hit "enter" and you are in webvpn config mode:



Once you are in there, there is no command related to authentication. Check my first post, you will see what commands are available.

joe Bronze

Re: SSL VPN AAA trouble with IOS 12.4(18)

I think you are using a IOS version that does not support webvpn. I deployed the IOS anyconnect SSL vpn on the VERY LATEST IOS last week;


aaa new-model



aaa authentication login default local line

aaa authorization network defaultvpn local



ip local pool sslvpnpool



webvpn gateway company

hostname company_RTR_1

ip address port 443

http-redirect port 80

ssl encryption 3des-sha1 aes-sha1

ssl trustpoint TP-self-signed-1602173945

logging enable



webvpn install svc flash:/webvpn/svc_1.pkg sequence 1


webvpn context company-context

title "company Capital Secure Portal: Unathorized Access Prohibited"

ssl authenticate verify all


login-message "This is a secure system, unauthorized access prohibited"


policy group company-policy

functions svc-required

banner "Login Successful"


timeout idle 1800

timeout session 86400

filter tunnel sslvpnsplit

svc address-pool "sslvpnpool"

svc default-domain "company.local"

svc keep-client-installed

svc dpd-interval gateway 30

svc rekey time 28800

svc rekey method new-tunnel

default-group-policy company-policy

aaa authentication list default

aaa authorization list defaultvpn

gateway company

max-users 25

logging enable


New Member

Re: SSL VPN AAA trouble with IOS 12.4(18)

@everyone who replied

After reading these posts and few chapters from various books, I found out that every time the default AAA method list was used for login authentication. I didn't have this command on my router, because I was using several named lists for various puprposes. When I entered

aaa authentication login default group someACSgroup local

login started to work!

Basically, the problem appeared because there is no command (or I haven't found it) for picking up specific named AAA method list - the router is using the default one.

So, either this is a bug, or some kind of a strange IOS developer logic, or I am still missing something out...


Can you tell me what IOS version do you have? You know, I tried again to enter "webvpn context" and "webvpn install" commands, and it just doesn't understand them. My IOS is ADVSEC, now webvpn works, but these commands don't. I don't have "inservice" command either. Webvpn starts to work just after typing "webvpn enable" and there is no need ofr inservice command.

Thanks anyway for the help guys!