Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

SSLVPN with iPhone Anyconnect and Cisco IOS Router, Certificate Authentication failed

Hello,

i have a problem regarding the authentication with a certificate from the iPhone Anyconnect 2.5 Client to a 1802 Cisco Router.

Cisco 1802 Router:

Cisco IOS Software, C180X Software (C180X-ADVENTERPRISEK9-M), Version 15.1(1)T, RELEASE SOFTWARE (fc1)

First i configured SSLVPN with username and password, in this configuration the Anyconnect Client of my iPhone works.

then i enrolled a certificate from my Windows 2008 R2 CA to the Router with the Attributes: Server Authentication and IPSEC

and i enrolled a certificate for my iPhone with Client Authentication and IPSEC

after a bunch of time ( i realy could not find a really good documentation on how to do this) i got it done, in the webvpn context configuration i made this changes here:

no aaa authentication list default

authentication certificate

ca trustpoint CA

as the "SSL VPN Configuration Guide, Cisco IOS Release 15.1M&T" says: if i want only certificate authentication i had to user the "authentication certificate" command and thats it.

as i look into the debugs it seems to me that the Router accepts the certificate of the iPhone, but then i receive a window on the iphone that wants an additional username and password authentication, and no matter what i enter there's always the same dialog coming back..

any ideas what the problem could be???

here is the configuration:

webvpn gateway WEBVPN_GW_OFFICE2

ip interface Dialer0 port 1444

ssl trustpoint CA

inservice

webvpn install svc flash:/webvpn/sslclient-win-1.1.4.179.pkg sequence 1

!

webvpn install svc flash:/webvpn/anyconnect-win-3.0.4235-k9.pkg sequence 2

!

webvpn install svc flash:/webvpn/anyconnect-dart-win-2.5.3055-k9.pkg sequence 3

webvpn context WEBVPN_CONTEXT2

secondary-color white

title-color #669999

text-color black

ssl authenticate verify all

!

!

policy group WEBVPN_POLICY2

   functions svc-enabled

   mask-urls

   svc address-pool "SSLVPN_OFFICE1"

   svc default-domain "domain.internal"

   svc keep-client-installed

   svc split include 192.168.0.0 255.255.0.0

   svc dns-server primary 192.168.53.33

   svc dns-server secondary 192.168.53.35

virtual-template 3

default-group-policy WEBVPN_POLICY2

gateway WEBVPN_GW_OFFICE2

authentication certificate

ca trustpoint CA

inservice

here is the debug:

OfficeRouter1# PASSING appctx is [0x89FAFFCC]

Nov 19 22:39:53.507: WV: sslvpn process rcvd context queue event

Nov 19 22:39:53.507: WV: sslvpn process rcvd context queue event

Nov 19 22:39:53.607: WV: sslvpn process rcvd context queue event

Nov 19 22:39:53.607: WV: Entering APPL with Context: 0x86529380,

      Data buffer(buffer: 0x86543A40, data: 0x15A07AB8, len: 469,

      offset: 0, domain: 0)

Nov 19 22:39:53.607: WV: http request: / with no cookie

Nov 19 22:39:53.607: WV: validated_tp : CA cert_username :  matched_ctx :

Nov 19 22:39:53.607: WV: Received appinfo

validated_tp : CA, matched_ctx : ,cert_username :

Nov 19 22:39:53.607: WV: Trustpoint match successful

Nov 19 22:39:53.607: WV: Extracted username:  pass: ?

Nov 19 22:39:53.607: WV: Client side Chunk data written..

buffer=0x86543640 total_len=661 bytes=661 tcb=0x8811FE60

Nov 19 22:39:53.607: WV: Appl. processing Failed : 2

Nov 19 22:39:53.607: WV: sslvpn process rcvd context queue event

BueroRouter1# PASSING appctx is [0x89FAEEC4]

Nov 19 22:40:24.028: WV: sslvpn process rcvd context queue event

Nov 19 22:40:24.032: WV: sslvpn process rcvd context queue event

Nov 19 22:40:24.132: WV: sslvpn process rcvd context queue event

Nov 19 22:40:24.132: WV: Entering APPL with Context: 0x86529380,

      Data buffer(buffer: 0x86543A40, data: 0x160C4038, len: 469,

      offset: 0, domain: 0)

Nov 19 22:40:24.132: WV: http request: / with no cookie

Nov 19 22:40:24.132: WV: validated_tp : CA cert_username :  matched_ctx :

Nov 19 22:40:24.132: WV: Received appinfo

validated_tp : CA, matched_ctx : ,cert_username :

Nov 19 22:40:24.132: WV: Trustpoint match successful

Nov 19 22:40:24.132: WV: Extracted username:  pass: ?

Nov 19 22:40:24.132: WV: Client side Chunk data written..

buffer=0x86543640 total_len=661 bytes=661 tcb=0x88D11EEC

Nov 19 22:40:24.136: WV: Appl. processing Failed : 2

Nov 19 22:40:24.136: WV: sslvpn process rcvd context queue event

Nov 19 22:40:39.764: WV: sslvpn process rcvd context queue event

Nov 19 22:40:39.880: WV: sslvpn process rcvd context queue event

Nov 19 22:40:39.892: WV: sslvpn process rcvd context queue event

Nov 19 22:40:39.892: WV: Entering APPL with Context: 0x86529380,

      Data buffer(buffer: 0x86543A40, data: 0x1616FD38, len: 610,

      offset: 0, domain: 0)

Nov 19 22:40:39.892: WV: http request: /webvpn.html with domain cookie

Nov 19 22:40:39.892: WV: validated_tp :  cert_username :  matched_ctx :

Nov 19 22:40:39.892: WV: Received appinfo

validated_tp : CA, matched_ctx : ,cert_username :

Nov 19 22:40:39.892: WV: Trustpoint match successful

Nov 19 22:40:39.892: WV: Client side Chunk data written..

buffer=0x86543640 total_len=607 bytes=607 tcb=0x88D11EEC

Nov 19 22:40:39.892: WV: Appl. processing Failed : 2

Nov 19 22:40:39.892: WV: sslvpn process rcvd context queue event

  • VPN
4 REPLIES
New Member

SSLVPN with iPhone Anyconnect and Cisco IOS Router, Certificate

i also tried to export my user Certificate from my windows 7 and importet it to the iphone: same result

and i tried IOS Version 15.1(3)T2.

here is the same behavior, BUT: if i enter a correct username and password which is configured locally on the router, then i get "Connected".

but i can't use this IOS because of another bug, and my aim is to find a solution where i don't need an additional username and password...

New Member

SSLVPN with iPhone Anyconnect and Cisco IOS Router, Certificate

Hello Marwan,

as it seems to be not supported i stopped working on that,

i'm sorry.

New Member

Re: SSLVPN with iPhone Anyconnect and Cisco IOS Router, Certific

hi,

are you found soluwtion for your problem , i have same issue , i hope you found it, if yes can you help me and post your config example and what requirement shoud i have it to make certificate in windows 7.

Thank you,

Best Regards

Marwan Urabi

4072
Views
0
Helpful
4
Replies
This widget could not be displayed.