[c-nsp] ASA 8.x SSL Certificate based authentication (ala Belgian eID Card)
Philippe Strauss
philou at philou.ch
Tue Feb 12 03:33:48 EST 2008
Hello,
I'm trying to get an ASA working mostly as described on:
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00808e00ec.shtml
but with standard CA certificates (wisekey actually), not belgian ones,
and not only for the anyconnect SSL-VPN Client, but also for the
clientless portal.
I cannot get it working :-/
The most I get is the certificate chain is validated correctly, logging
on the portal _seems_ to happen, but an immediate logout follows.
(Close to putting /bin/false as the shell in /etc/passwd :-)
Using anyconnect, I do not get any windows popup asking me to choose
the SSL certificate to use (like using IE for the portal), the usual
username/password appear (it should not).
Trying to type the serial number of the certificate as the username,
with blank password does not help in anyconnect.
The same is true on the portal: setting DefaultWebVPNGroup
authentication to "both" rather than "certificate", I get a
username/password on the portal, but entering the serial number does not
help, I get rejected.
Anyone on this list been there before?
Regards.
--
Philippe Strauss
av. de Beaulieu 25
1004 Lausanne
http://philou.ch
More information about the cisco-nsp
mailing list