Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
566
Views
3
Helpful
2
Replies

WebVPN: client authentication with certificate

jinyu1
Level 1
Level 1

‎03-01-2004 03:55 PM

Hi, we have a 3005 with upgraded software running WebVPN. We'd like to setup client authentication using digital certificate.

The cisco documentation says:

WebVPN users that authenticate using digital certificates do not use global authentication and authorization setting. Instead, they use an authorization server to authenticate according to values set in the Configuration | User Management | Base Group/Groups IPSec tab for the following fields ...

So we setup an authorization server using IAS.

However, authentication always fails with log message:

Authentication rejected: Reason = Unspecified

handle = 27, server = 192.168.10.15, user = wi fi 4, domain = <not specified>

When I check IAS log, it says user doesn't exist. The IAS log also says the 3005 is trying to do a PAP authentication.

The browser will display the login/passwd screen after the failed certificate authentication. Nothing would work even if I type some valid IAS username/passwd into this screen.

This really confuse me:

1. We are doing certificate authentication without any need of passwd, so why does Cisco insist on an external authorization server in the first place?

2. What is 3005 sending to IAS? It seems to me that it's trying to send some username/passwd, which doesn't make sense at all.

3. After failed certificate authentication, I type some valid username/passwd into the logon browser screen. But in the server log, it's still saying the user on the certificate fails to login; it completely ignores the new username/passwd I typed in.

Has anyone succeeded in getting client authentication with digital certificate to work?

Jin

Labels:
0 Helpful
2 Replies 2

aacole
Level 5
Level 5

‎03-03-2004 04:21 AM

Jin,

I'm was working on Microsoft IAS yesterday, I ran into the authentication issue you describe. It was down to the settings in IAS, it uses MS-CHAP-v2 by default, whereas IOS (as you saw in the error message) uses PAP.

On IAS go to Remote access policies, select properties for the displayed policy, edit its profile, and select PAP on the authentication tab. You mau also need to select no encryption on the encryption tab.

Hope this helps, I'm currently trying to get SCEP to an IOs router working with Microsoft CA and its driving me nuts:)

Andy

terranullius
Level 1
Level 1

‎08-31-2005 11:38 AM

Hi, Jin,

Did you get client authentication using certificates working? I'm having exactly the same problem and I can't get this authentication to work. Did you have some trick to solve this problem?

0 Helpful
Customers Also Viewed These Support Documents