Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

WebVPN on IOS and Client Side Certificate-Based Authentication

Hi there,

I have successfully configured WebVPN using client side certificate-based authentication and AAA. But when i use the username-prefill command, I always get "login" as the username. How can I configure the IOS to get the UPN from the certificate?

Thanks.

Nuno Vaz

5 REPLIES

Re: WebVPN on IOS and Client Side Certificate-Based Authenticati

What version of code are you testing with?

New Member

Re: WebVPN on IOS and Client Side Certificate-Based Authenticati

I'm using IOS Version 15.0(1)M3

New Member

Re: WebVPN on IOS and Client Side Certificate-Based Authenticati

I upgraded the IOS to version 15.0(1)M3 and the problem remains the same.

After choosing the certificate to use, in the WebVpn login page the username field is lock and empty. I enter the password for the user in the certificate and get this debug:

*Nov 14 16:48:51.183: CRYPTO_PKI: Adding peer certificate
*Nov 14 16:48:51.187: CRYPTO_PKI: Check for identical certs
*Nov 14 16:48:51.187: CRYPTO_PKI: Create a list of suitable trustpoints
*Nov 14 16:48:51.187: CRYPTO_PKI: Suitable trustpoints are: ************,
*Nov 14 16:48:51.187: CRYPTO_PKI: Attempting to validate certificate using ***************
*Nov 14 16:48:51.203: CRYPTO_PKI: Certificate is verified
*Nov 14 16:48:51.203: CRYPTO_PKI: Checking certificate revocation
*Nov 14 16:48:51.215: CRYPTO_PKI: Certificate validation succeeded PASSING appctx is [0x***************
*Nov 14 16:49:05.711: AAA/AUTHEN/LOGIN (00000000): Pick method list '***************'
*Nov 14 16:49:05.711: WV-AAA: AAA authentication request sent for user: "Login"
*Nov 14 16:49:07.715: WV-AAA: AAA Authentication Failed!AAA authentication request sent for user: "Login"


The username of the user isn't "Login". Where is the IOS getting this value from?

In Cisco ASA there is a command that allows you to choose the certificate field to be used as username. Is any command for this on IOS ?

Can anybody help me ?

Thanks in advance.

New Member

WebVPN on IOS and Client Side Certificate-Based Authentication

I have the same issue if I use together these both commands "authentication certificate aaa" and "username-prefill"

I run IOS version 15.1(3)T1

Btw, Certificate-Only Authentication and Authorization Mode also doesn't work, because the router can't take "cert_username" from a certificate. It always appear as empty in debug:

002542: Jun 30 03:32:01.622 MSK: WV: validated_tp :  cert_username :  matched_ctx :

002543: Jun 30 03:32:01.622 MSK: WV: Received appinfo

validated_tp : corpca, matched_ctx : ,cert_username :

002544: Jun 30 03:32:01.622 MSK: WV: Trustpoint match successful

002545: Jun 30 03:32:01.622 MSK: WV: Extracted username:  pass: ?

Anybody has working client certificate authentication on IOS routers?

Cisco Employee

You can add configuration

You can add configuration like  "authorization username subjectname commonname" for the trustpoint used for authenticating client cert.

1376
Views
0
Helpful
5
Replies