Folks, Up until now I always thought that by default when any VPN connection lands on the ASA one of the following condition always works, namely
If this is a certificate based authentication then the OU in the certificate is used to match for the tunnel-group. Trying to prove it with different scenarios The portion of ASA config: ssl certificate-authentication interface OUT port 443 tunnel-group WEBVPN type remote-access tunnel-group WEBVPN general-attributes authorization-server-group ACS authorization-required username-from-certificate OU tunnel-group WEBVPN webvpn-attributes authentication certificate My test PC with a valid certificate connects via HTTP to the ASA and see the following: ASA1(config)# CRYPTO_PKI: Attempting to find tunnel group for cert with serial number: 7AB09A3B000000000005, subject name: [email protected],cn=TESTPC,ou=WEBVPN,o=Cisco,l=Vancouver,st=BC,c=CA, issuer_name: cn=MS-ROOT-CA,ou=CCIE. CRYPTO_PKI: No Tunnel Group Match for peer certificate Doesn't make sense to me because as you see the tunnel-group and the OU are identical. But if I change the ASA config to accept connection on the default WebVPN group everything seems to work smoothly, i.e. the ASA still complains that it can't find the tunnel group for the peer certificate but the connection is successful. This time we see that it lands on a default WEBVPN group and authentication goes through. CRYPTO_PKI: Attempting to find tunnel group for cert with serial number: 7AB09A3B000000000005, subject name: [email protected],cn=TESTPC,ou=WEBVPN,o=Cisco,l=Vancouver,st=BC,c=CA, issuer_name: cn=MS-ROOT-CA,ou=CCIE. CRYPTO_PKI: No Tunnel Group Match for peer certificate. Unable to locate tunnel group mapwebvpn_portal.c:ewaFormSubmit_webvpn_login[1964] ewaFormSubmit_webvpn_login: tgCookie = 0 ewaFormSubmit_webvpn_login: cookie = d619c9a0 ewaFormSubmit_webvpn_login: tgCookieSet = 0 ewaFormSubmit_webvpn_login: tgroup = NULL Tunnel Group: DefaultWEBVPNGroup, Client Cert Auth Success. webvpn_portal.c:http_webvpn_kill_cookie[682] webvpn_auth.c:http_webvpn_pre_authorize[2267] webvpn_auth.c:ssl_get_cert_user_field[4800] using client cert: name=(WEBVPN) Any ideas why it doesn't work with the user defined tunnel-group or my above understanding is only applicable to IPSec VPN with certificates? Eugene
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
