I have two Cisco WLC 5508 controllers that I'm trying to set-up for our new corporate WLAN. I've gone through most of the configuration fine but have ran into an issue uploading a signed certificate to one of my controllers. I should point out that I have managed to upload the certificate successfully to one of the controllers, I just can't seem to upload it to the second.The issue is as follows:
- I've logged into the controller, gone to Security -> Web Auth -> Certificate -> Download Certificate
- I've specified my tftp server details and selected apply
- the process begins and I can see through my tftp client that the controller is attempting to copy and install the certificate
- The controller tries to install the certificate but fails, reporting the same
I would like to upload the signed certification to LMS 4.2.2.After checking ( 4. option ) I choosed the 6. option and press "y" for questions and the perl script is freezing.
I've been reading over the documentation, but only see instructions for using a self-signed certificate for SSL. Or even trusted certificates between LMSes. But I can't seem to find anything on LMS 4.0 using a Certificate Authority. And I have a security requirement to do so.
Can I import a self signed certificate from a Cisco 871 router to a Cisco ASA 5505? The 5505 replaced the 871 and I have a VPN that goes to another company that we have a connect to. The device on the other end is a VPN concentrator ( I do not have access to modify this device without going through multiple channels.) I only need to mimic this device for the site to site VPN tunnel only. It appears that there are no pre-shared keys only a self signed certificate.
Our ACS (5.3) has self signed certificate, we have exported it and declared it in Certificate Authorities.We have exported it to have a Trusted Certificate for client machine.
This certificat has been installed on a laptop.The wlc is successfully setup for eap (peap & eap-fast has been tested > ok)I have this error in the log:
12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain.I think the Access Policies (identity & authorization) are misconfigured: [code]
I have just renewed the self signed certificate on a v5.2 ACS and expiry date of 2013 is showing in the ACS GUI. However, when I start an ACS Admin session and view the certificate information in the browser it is showing the old expiry date of 2010. I have tried this in IE and Firefox and the certificate information is the same.
Is there a way I can get the browser to pick the new certificate ?
I have a doubt about CiscoWorks. I need to generate the self-signed certificate with a key of 2048 bits to generate a CA with VeriSign. CiscoWorks do this automatically with a key of 1024 bits and I do not find a form to elect a a diferent key. Is it possible to generate a certificate with 2048 bits key?
Another problem is that I have CiscoWorks installed on Solaris. Many times at day the web application does not work and the only way to recuperate it is with the command "init 6" and I have to way 15 minutes until I can have access again. Why is produced this error? Who can I fit it?
how to create new unique self-signed certificate on RV120W? I can create request for singning by external CA, but I cannot create new unique self-signed certificate itself.
Right now the Self-signed Certificate on my RV180W generates errors as it was issued to the MAC address instead of the current IP address. Need instructions on Generating a Self-Signed certificate (or 1 from my Windows Server 2012 Certification Authority) that will eliminate the constant barreage of certificate errors I get when trying to access the management interface of my device? the internal domain is mythos.local, netbios name of MYTHOS, and the device name in question is surtur.
The establishment of IPSEC tunnel between the RV220 and QuickVPN client works properly with the security certificate of origin of the router.RV220 V1.0.3.5QuickVPN V1.4.2.1
Since the establishment of a security certificate self-signed, the RV220 and QuickVPN client refuses to work together .
Here are the log of the QuickVPN client
2011/09/27 12:45:14 [STATUS]OS Version: Windows 7 2011/09/27 12:45:14 [STATUS]Windows Firewall Domain Profile Settings: ON 2011/09/27 12:45:14 [STATUS]Windows Firewall Private Profile Settings: ON 2011/09/27 12:45:14 [STATUS]Windows Firewall Private Profile Settings: ON
I am support one client for, whom falls under Security scans mandatory for new implementation of ASA 5520 device. The client uses Nessus Scan and the test results are attached.The Nessus scanner hit on 1 Medium vulnerabilities.
Having troubles loading a certificate in System security/802.1X Supplicant. I tried to upload *.car and *.msc certificates, but the device aborted the upload at each attempt.
I have WLC 5508 in my office and i am asked to backup file configuration from WLC but when i remote WLC to get the upload configuration file via tftp it doesn't work.
But when I try to use direct connection ( point to point ) with WLC and my laptop i can get the upload configuration file. is there something wrong, actually i have connected with that WLC i can ping and telnet that device
I have in the past downloaded the webauth bundle to a wlc 5508 running 7.0.98 successfully. I am trying to upload a new bundle after modifying the AUP but I get an error after the download to the wlc.
The error with FTP or TFTP is % Error: Webauth Bundle file transfer failed - Unknown error - refer to log
I've tried to copy the unmodified bundle from the zip and get the same error so I don't think it's the login.tar file.
We are moving forward with a mobility project which requires our network to authenticate/authorize based on certificates.
WLAN_1 has 802.1x enabled passing the cert through to the MS CA which authorizes the cred, which in turn passes the AD creds of the user to the MS RADIUS server for authenticate/authorization.
Hardware: WLC 5508 running 7.2.110.0 3600 APs ACS 5.2 not used for AAA
1. As we turn up additional SSIDs, we need Mobile SSID to accept ONLY the Mobile Cert, our Internet SSID to only accept the Internal Cert and our GUEST SSID to deny ANY Cert issued by our CA.I know ISE makes this much easier, but I dont have it and need this to work as best we can until next fiscal cycle..
- 5508/1142 - heterogenous Client with WZC, XP, SP3, SSO - ACS 5.2, MS AD
Target is Songle Sign On wih Machine Cerificates against AD. For testing purpose we tested with EAP-PEAP/MS Chapv2 and Machine Auth, works fine. Now we installed a Machine cert in the Machine cert Store (no User Cert) and reconfigured the WZC for using certs and Machin Auth. What we see is an Error Message in the System Tray that there is no certificate available. We checked it again, the MMC shows us a Machine cert in the Store.
Have WLC 5508 running 7.4 code; have wlan setup to allow access to internal network. Users on ipads should be able to connect to this wlan and authenticated via certificate instead of PSK. We have setup laptops that are part of domain to use internal CA for authentication to WLAN. Ipads are not part of domain so we are not able to use the same model, or can we use the same model for authentication?How to setup WLC to authenticate ipad users via certificate instead of PSK while connecting to the WLAN?
get a installed certificate work on a 5508 WLC Controller without rebooting. Is there a way? Is it possible to just reload a process to get the certificate work?
I am using webauth and need to install a SSL cert to prevent the "There is a problem with this website's security certificate" message. I have a Wildcard cert that was issued by Network Solutions that I use on a couple web servers I run, and want to know if I can use that for the WLC? It's a pks cert and I think the WLC needs to use a pem cert, so I converted the wildcard to pem. Or do I need to purchase a cert that is not a wildcard and is in pem format?
I have just setup a vWLC for lab purposes and it´s up and running. I have a few used 1131 LAP:s that tries to join the AP but I just get DTLS certificate errors like these:
*Sep 14 13:25:27.229: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up *Sep 14 13:25:27.258: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up *Sep 14 13:25:36.198: %CAPWAP-3-ERRORLOG: Go join a capwap controller *Sep 14 13:26:41.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.1.105 (code)
These AP:s (I have tried 2 so far) have earlier been in use connected to a cluster of 5508:s.
I am planning to migrate from an old 4400 to a new 5508. I am happy with migrating the access points but I need to know if I can migrate the web authentication certificate used for guests.The new WLC will have the same virtual interface and DNS name to match the CN on the current certificate. Will this work or will I need a new certificate?
I have 3 WLC 5508 and a NAC guest server. We want to download a wildcard certificate after a few seconds at the download of this certificate I got the failure message download failed.
Accept the WLC wildcard certificates or must I generate a SAN (Subject Alternative Name) Certificate.
We recently did a forklift upgrade on our campus and installed 3502i's, 3502e's, and 11 5508 WLC's. Our students are complaining about slow connections in several areas of the campus.In our testing and basic trouble shooting our Apple laptops have no problems but our windows laptops are showing a very slow connection rates 264kbps downloand and 366kbps upload. The window device has current drivers installed.
We are deploying BYOD with Cisco ISE 1.1.2 and WLC (5508) using 802.1x authentication.Windows clients cannot connect to 802.1x SSID with the following error on ISE:Authentication failed : 12321 PEAP failed SSL/TLS handshake because the client rejected the ISE local-certificate
The client doesn't have preconfigured wifi profile or root certificate installed.The concept of BYOD suppose that you can connect your device without any installed certificates and preconfigured wifi-profiles.
The problem is that Windows 7 supplicant does not send TLS alert in pop up window, when connecting to 802.1x SSID.If this alert is seen, than you can accept it and proceed the connection. After that you will be asked to install ROOT-cert, get your own cert and etc.So, the question is: how to make the windows supplicant to show the pop-up window with TLS alert?
p.s. the attached file shows the example of pop up TLS-alert window
When a guest user first trys to access the "guest" WLAN, they are presented with a "certificate page" before the web athentication page / login is presented. The WLC forces an internal redirect to https://1.1.1.1 causing the certificate page to appear. Can this be bypassed? I am runiing 5508 with 7.0.220.0.
I'm trying to upload the 5-2-0-26-4.tar.gpg patch to our ACS and so far have been unsucessfull. I keep getting the "please verify the patch bundle is valid".
When I download the 5-2-0-26-4.tar.gpg file, for some reason the download always comes down from Cisco as 5-2-0-26-4.tar.tar. I've renambed the file to 5-2-0-26-4.tar.gpg and verified the MD5.
We could not able to upload an IOS for 7206 router with NPE-150 via xmodem as there was no image available in flash it is in rommon mode. But same can be done in 1841. So how to upload an image in flah for 7206 via xmodem.Where the IOS will be stored in 7206, wethet in flash or NPE. If it's in flash what for NPE used other than for routing engine capabilities.
i have configured a cisco router with the following configuration to practice obtaining certificates from a microsoft 2008 server configured as a stand alone CA.this part works okay but what i am trying to do next is giving me a headachei am trying to delete the identity certificate but am having no luck whatsoever
interface FastEthernet0/0ip address 192.168.2.1 255.255.255.0ip nat outsideno shut interface FastEthernet0/1ip address 192.168.1.1 255.255.255.0ip nat insideno shut access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255 access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255access-list 102 permit ip 192.168.1.0 0.0.0.255 any
[code].....
i entered the following commands on the router to delete the certificatebut as you can see its telling me the certificate dosn't exist(this method of deleting the cert has come from Richard Deals complete cisco vpn configuration guide) 3Purley(config)#crypto ca certificate chain PurleyPurley(config-cert-chain)#no certificate 61E0446A000000000002% Certificate not found.ps the router is a 3640 running c3640-jk9o3s-mz.124-7.bin
My friend has just got a laptop and when she is at my place it shows that my computer is nearby but message says "Windows was unable to find a certificate to log in to network".
I just got back from vacation and suddenly can't connect to my Wifi network at home with my netbook anymore. It says validating identity but never connects. When I try to repair the connection, it keeps authenticating and then says that windows is unable to find a certificate to log me on to the network. I did some googling and it was suggested to uncheck the Enable IEEE 802.1x authentication for this network box under the Authentication tab in Wireless Network properties. I tried that but then I get an error message saying "The network password needs to be 40bits or 104bits depending on your network configuration".I have no idea what to do or what the problem is. My other laptop works fine from which I have set up this network works fine. My phone seems to work fine, too. I already restarted the router and my netbook but that didn't work either.
I've been wrestling with a Windows XP reinstall that wiped out my network adapter. Fortunately I found D-Link AirPlus Utility and have restored it. However, now it says that windows was unable to find a certificate to log me on to the network, although I have entered the correct key.
We find ourselves in a difficult situation with the Cisco VPN Client version 5.0.07.0290 where it keeps giving us an
"Error 42: Unable to create certificate enrollment request"
When we attempt to use the Online enrollment method to create and enroll a new certificate. There is no additional information in the VPN client logs where we have set 3-High for all logs. In addition, Wire shark does not show any packets sent from the machine running the client to the Cisco 3825 router which runs the Cisco CA.
To create and enroll a certificate we do the following:
1. Click on the Enroll button to show the Certificate Enrollment dialog 2. Select Online 3. Select <New> for Certificate Authority 4. Enter http://192.168.120.1 as CA URL (note, 192.168.120.1 is the IP of the Cisco 3825) 5. Click Next to display the dialog where we can enter certificate details 6. Enter details in all fields except IP Address and Domain 7. Click Enroll which shows a dialog with the Error 42 ... message in it.
If we attempt to create a request by using the File method, all works fine, that is, the client creates a file with the enrollment request. The fact that the client does not send any messages to the Cisco CA leads us to believe that we have a problem on the client machine. However, the client does not write any information in the logs, so it is a bit hard to fix the problem. I can provide additional configuration information if required for both the client and the Cisco CA. Note that we have not modified any client configuration. Basically, we installed the client on a Windows 7 64bit machine and attempted the steps listed above.
There is ASA with remote access VPN and users are authenticated using third party signed certificates (CA is not local in ASA).When user certificate expires i can see it in syslog messages. For example:
%ASA-3-717009: Certificate validation failed. Certificate date is out-of-range, serial number: (...)
I would like to know if there is an opportunity to view user's certificate expiry date beforehand, say, 3 days before?
