Hi, we have a 3005 with upgraded software running WebVPN. We'd like to setup client authentication using digital certificate.
The cisco documentation says:
WebVPN users that authenticate using digital certificates do not use global authentication and authorization setting. Instead, they use an authorization server to authenticate according to values set in the Configuration | User Management | Base Group/Groups IPSec tab for the following fields ...
So we setup an authorization server using IAS.
However, authentication always fails with log message:
Authentication rejected: Reason = Unspecified
handle = 27, server = 192.168.10.15, user = wi fi 4, domain = <not specified>
When I check IAS log, it says user doesn't exist. The IAS log also says the 3005 is trying to do a PAP authentication.
The browser will display the login/passwd screen after the failed certificate authentication. Nothing would work even if I type some valid IAS username/passwd into this screen.
This really confuse me:
1. We are doing certificate authentication without any need of passwd, so why does Cisco insist on an external authorization server in the first place?
2. What is 3005 sending to IAS? It seems to me that it's trying to send some username/passwd, which doesn't make sense at all.
3. After failed certificate authentication, I type some valid username/passwd into the logon browser screen. But in the server log, it's still saying the user on the certificate fails to login; it completely ignores the new username/passwd I typed in.
Has anyone succeeded in getting client authentication with digital certificate to work?
Re: WebVPN: client authentication with certificate
I'm was working on Microsoft IAS yesterday, I ran into the authentication issue you describe. It was down to the settings in IAS, it uses MS-CHAP-v2 by default, whereas IOS (as you saw in the error message) uses PAP.
On IAS go to Remote access policies, select properties for the displayed policy, edit its profile, and select PAP on the authentication tab. You mau also need to select no encryption on the encryption tab.
Hope this helps, I'm currently trying to get SCEP to an IOs router working with Microsoft CA and its driving me nuts:)
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...