These are exactly the URL I'm trying to login. I see that both admin and user fail authentication while debugging it. And I was able to login previously without having this "@" authentication option.
Aug 28 05:19:09.639: AAA/AUTHEN/LOGIN (00000000): Pick method list 'SSLVPN' Aug 28 05:19:09.639: WV-AAA: AAA authentication request sent for user: "admin" Aug 28 05:19:09.639: WV-AAA: AAA Authentication Failed! Aug 28 05:19:09.955: %SSLVPN-5-SSL_TLS_CONNECT_OK: vw_ctx: UNKNOWN vw_gw: SSLGW i_vrf: 0 f_vrf: 0 status: SSL/TLS connection successful with remote at 10.0.0.200:2903 Aug 28 05:20:35.275: %SSLVPN-5-SSL_TLS_CONNECT_OK: vw_ctx: UNKNOWN vw_gw: SSLGW i_vrf: 0 f_vrf: 0 status: SSL/TLS connection successful with remote at 10.0.0.200:2904 Aug 28 05:20:40.075: AAA/AUTHEN/LOGIN (00000000): Pick method list 'SSLVPN' Aug 28 05:20:40.075: WV-AAA: AAA authentication request sent for user: "user" Aug 28 05:20:40.075: WV-AAA: AAA Authentication Failed The relevant config once again: aaa authentication login SSLVPN local crypto pki trustpoint SSL-GW-TP enrollment selfsigned revocation-check crl rsakeypair SSL-TP-KEY 1024 username admin privilege 15 password 0 cisco123 username user password 0 cisco webvpn gateway SSLGW ip address 192.168.3.1 port 443 ssl trustpoint SSL-GW-TP logging enable inservice ! webvpn context ADMIN title "Admin Context" ssl authenticate verify all ! aaa authentication list SSLVPN aaa authentication domain @admin gateway SSLGW domain admin inservice ! webvpn context USER title "User context" ssl authenticate verify all ! aaa authentication list SSLVPN aaa authentication domain @user gateway SSLGW domain user inservice From: Mike Rojas [mailto:[email protected]] Sent: Monday, August 27, 2012 10:20 PM To: Eugene Pefti Cc: [email protected] Subject: RE: [OSL | CCIE_Security] SSL VPN, one gateway, two contexts Try Using IE, Paste your config back. Make sure you logout properly (cleaning everything is self experience, otherwise it will fall off on the same context over and over, mainly if using firefox) and that when login in you are putting https://x.x.x.x/user or https://x.x.x.x/admin Mike. ________________________________ From: [email protected]<mailto:[email protected]> To: [email protected]<mailto:[email protected]> CC: [email protected]<mailto:[email protected]> Subject: RE: [OSL | CCIE_Security] SSL VPN, one gateway, two contexts Date: Tue, 28 Aug 2012 05:15:36 +0000 Thanks, bro. I was looking into the other white paper. Cleaning browser cache helped seeing the right title but I still can't login after changing the domain authentication to @admin and @user. From: Mike Rojas [mailto:[email protected]] Sent: Monday, August 27, 2012 10:12 PM To: Eugene Pefti Subject: RE: [OSL | CCIE_Security] SSL VPN, one gateway, two contexts http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6657/prod_white_paper0900aecd80512065.html ________________________________ From: [email protected]<mailto:[email protected]> To: [email protected]<mailto:[email protected]> Subject: RE: [OSL | CCIE_Security] SSL VPN, one gateway, two contexts Date: Tue, 28 Aug 2012 05:07:57 +0000 Hi Mike, Can you please refer me to any Cisco document that explains it? I mean the "@" part Eugene From: Mike Rojas [mailto:[email protected]] Sent: Monday, August 27, 2012 10:08 PM To: Eugene Pefti; [email protected]<mailto:[email protected]> Subject: RE: [OSL | CCIE_Security] SSL VPN, one gateway, two contexts The AAA authentication must have "@" in front of the domain for proper authentication. The gateway will remain without the "@". Very important if you are using the same computer and browser, clear everything (cookies, history and such) then try again with the other user. Mike. ________________________________ From: [email protected]<mailto:[email protected]> To: [email protected]<mailto:[email protected]> Date: Tue, 28 Aug 2012 05:03:32 +0000 Subject: [OSL | CCIE_Security] SSL VPN, one gateway, two contexts Guys, Has anyone of you thoroughly tested what I said in the subject? I'm having a strange behavior of the web page when I try to login as a member of different contexts. I have two contexts ADMIN and USER (see below config). They all use the same gateway and to differentiate between them I use domain string. This is a minimalistic setup for webvpn without any group-policies just to prove it as a concept. aaa new-model aaa authentication login SSLVPN local username admin privilege 15 password 0 cisco123 username user password 0 cisco crypto pki trustpoint SSL-GW-TP enrollment selfsigned revocation-check crl rsakeypair SSL-TP-KEY 1024 webvpn gateway SSLGW ip address 192.168.3.1 port 443 ssl trustpoint SSL-GW-TP logging enable inservice ! webvpn context ADMIN title "Admin Context" ssl authenticate verify all aaa authentication list SSL-GLOBAL gateway SSLGW domain admin inservice webvpn context USER title "User context" ssl authenticate verify all aaa authentication list SSL-GLOBAL gateway SSLGW domain user inservice Then I try to login to the web portal from the Test PC as https://192.168.3.1/admin and see the page with my admin title (Admin Context), login as admin and see the internal page with the same admin context title. If I login as a user to https://192.168.3.1/user I see the same title on the page (the one I supposed to see for admin) and I don't see the user title. Logging in as user and again see the title for admin user. Then I try to complicate things and introduce the domain part in the authentication inside the context, i.e. "aaa authentication domain NAME" and can't login since then Now my contexts look like this: webvpn context ADMIN title "Admin Context" ssl authenticate verify all aaa authentication list SSL-GLOBAL aaa authentication domain admin gateway SSLGW domain admin inservice webvpn context USER title "User context" ssl authenticate verify all aaa authentication list SSL-GLOBAL aaa authentication domain user gateway SSLGW domain user inservice Any idea what's wrong this time? _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com<http://www.ipexpert.com> Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com<http://www.PlatinumPlacement.com>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
