Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

WebVPN: client authentication with certificate

Hi, we have a 3005 with upgraded software running WebVPN. We'd like to setup client authentication using digital certificate.

The cisco documentation says:

WebVPN users that authenticate using digital certificates do not use global authentication and authorization setting. Instead, they use an authorization server to authenticate according to values set in the Configuration | User Management | Base Group/Groups IPSec tab for the following fields ...

So we setup an authorization server using IAS.

However, authentication always fails with log message:

Authentication rejected: Reason = Unspecified

handle = 27, server =, user = wi fi 4, domain = <not specified>

When I check IAS log, it says user doesn't exist. The IAS log also says the 3005 is trying to do a PAP authentication.

The browser will display the login/passwd screen after the failed certificate authentication. Nothing would work even if I type some valid IAS username/passwd into this screen.

This really confuse me:

1. We are doing certificate authentication without any need of passwd, so why does Cisco insist on an external authorization server in the first place?

2. What is 3005 sending to IAS? It seems to me that it's trying to send some username/passwd, which doesn't make sense at all.

3. After failed certificate authentication, I type some valid username/passwd into the logon browser screen. But in the server log, it's still saying the user on the certificate fails to login; it completely ignores the new username/passwd I typed in.

Has anyone succeeded in getting client authentication with digital certificate to work?



Re: WebVPN: client authentication with certificate


I'm was working on Microsoft IAS yesterday, I ran into the authentication issue you describe. It was down to the settings in IAS, it uses MS-CHAP-v2 by default, whereas IOS (as you saw in the error message) uses PAP.

On IAS go to Remote access policies, select properties for the displayed policy, edit its profile, and select PAP on the authentication tab. You mau also need to select no encryption on the encryption tab.

Hope this helps, I'm currently trying to get SCEP to an IOs router working with Microsoft CA and its driving me nuts:)


New Member

Re: WebVPN: client authentication with certificate

Hi, Jin,

Did you get client authentication using certificates working? I'm having exactly the same problem and I can't get this authentication to work. Did you have some trick to solve this problem?