Cisco AAA/Identity/Nac :: %ASA-3-717009 / Certificate Validation Failed / Certificate Date Is Out-of-range
Jan 30, 2012
There is ASA with remote access VPN and users are authenticated using third party signed certificates (CA is not local in ASA).When user certificate expires i can see it in syslog messages. For example:
%ASA-3-717009: Certificate validation failed. Certificate date is out-of-range, serial number: (...)
I would like to know if there is an opportunity to view user's certificate expiry date beforehand, say, 3 days before?
I'm currently having issues testing OCSP servers for certificate validation on ACS 5.4. Server team claims everything is fine on their side, but all attempts result in the following error:12562 OCSP server response is invalid
I've already tried to disable NONCE extension support and signature validation, which hasn't really had any effect. How to debug OCSP processing or look into the problem more precisely another way?
Tried configuring SSL VPN using Certificate authentication using a Microsoft CA server. Truspoint created and mapped to SSL VPN. While connecting the SSL VPN getting certificate validation failure. find the error screen shot attached
I have an anyconnect account set up using version 3.0.5080 and connecting to an ASA 5510 base 8.2(2)17. We are using certificates for authentication. If I try and use the account on a windows machine it all works fine.
However on a mac running Lion if I try and connect via a web browser or already have the anyconnect client loaded and try to connect I always get “certificate Validation Failure”. I double checked the certificate was correct and am sure that is correct as it is the same certificate on the Windows and the mac. After searching online I have also tried editing the anyconnect profile to so it is set “certificate store override”, and put the certificates and key in the “user/.cisco/certificates” and “/opt/.cisco/certificates” folders.
After further testing, if I change the anyconnect connection profile to “authentication aaa” I can connect fine. Then if I disconnect, change it back to “authentication certificate” I can connect fine the first time, but all the following subsequent efforts I make fail. If I repeat this process this happens each time, I can connect the first time but after that it fails with the same “certificate Validation Failure” error message. When it connects this first time I checked and confirmed that it is definitely using the certificate. I have also tried using both authentication methods (“authentication aaa certificate”) and had the same problem.
This leads me to believe that my configuration is correct and it is some bug in the anyconnect client or the ASA image. I have had a look through bugs and read somewhere that there was a bug on earlier versions of 8.4, but nothing about 8.2.
I have an ASA (8.4.5) configured with a connection profile that does AAA and Certificate authentication. Once I have the anyconnect 3.1 on a win Xp system, it works perfectly. When I do a web install, it goes through the normal download, log-in, re-download then says "Certificate Authentication Failure" If I change the profile to AAA only, it installs fine. I even get the error if I launch from the web after I have the client on the PC. Why this is not working?
For some reason this RV082 (code level v2.0.2.01-tm-20110308) has generated a SSL cert that is not valid till 2022?
How to regenerate the cert with a valid date?
SSL Certificate - Future Start Date The SSL certificate is not valid before Mar 3 06:51:27 2022 GMT : Subject : CN=00:0c:41:92:41:71, OU=RV082, O=Cisco-Linksys, LLC, C=US, L=Irvine, SN=California Issuer : CN=00:0c:41:92:41:71, OU=RV082, O=Cisco-Linksys, LLC, C=US, L=Irvine, SN=California Not valid before : Mar 3 06:51:27 2022 GMT Not valid after .
I'm currently in the process of the setting up a new wireless network and I want to test out our 7925 phones on it. When I try uploading the certificate to the phone it fails and I find the following error in the trace logs
[code]...
I created this certificate using using Windows Server 2003 and it is 2048 bits. This certificate works fine with my laptop but I'm unable to upload it to the phone. The app load currently on the phone is CP7925-MFG-D.8.LOADS. Are there any specific guidelines out there when creating a certificate for a Cisco 7925 phone?
I am trying to install a digi cert on a 7921 and I get the message on import of "certificate verification failed".as there does not seem to be much documentation with the above error message.
I got error message when I convert to certificate authencate via tunnel group.
error message: "certificate validation failure"
client prompte me that "your client certificate will be used for authenticate" but none certificate list popup even i disabled "autpmatic certificate selection" preferences.
some information about my configuration : ASA 8.2(2)4 Anyconnect VPN 2.5.1025 authentication against aaa is working
some key point: ASA: ssl trust-point remote.apac outside
Network Resources - Network Devices and AAA Clients- File Operations - Add - gives me File Format Validation Faliled. I am carefull to leave the header as it is. The header in the Import Template looks faulty, see attached. When exporting devices I also get the same header as attached. I also tried to change the header so its all in one column, but with same result.
I've configured in an UC520 a SSL VPN.I can access properly and I can see the labels, but I only can access urls which are http, not https:I can access the default ip of the uc520 (192.168.1.10) but When I try to get access to a secure url I get the msg: Failed to validate server certificate I'm trying to access a Cisco Digital Media Manager, whose url is URL Does the certificate of both hardware has to be the same?
Currently I'm using a self signed cert issued by ACS. We are having an issue where occasionally we see in our Windows 7 logs that Windows did not like the self signed cert from ACS when doing dot1x authentication for our Windows 7 clients. We are using the built in dot1x client that comes with Windows and have the "Validate Server Certificate" unchecked but still see this error occasionally. I've tried issuing a CSR from the ACS server and going to Thwate and getting a test cert but everytime I paste the CSR into the field at Thwate I get an error about invalid cert type. You have to choose from a list of server types. I've tried several different ones. I've also tried issuing the request from a WIndows server and when I try and import the files I get a invalid key error. How to get certificate working from Thwate or Verisign?
We have enabled EAP-TLS authentication for our wireless LAN end user in our network setup , And we have defined certificate on our old acs server 3.3 from a third party CA . I want to use the same certifcate which is being used in 3.3 ,how i can copy that certficate from 3.3 and get it installed on new acs 4.2 .
Is there a way to authenticate a windows computer in ACS 5.2 for 802.1x only with a certificate.The Computer is from a different active directory than the one that is configured in ACS.I tried importing the cert into "external indentity Stores" > "certificate authorities", then setup the computer to use smart card or certificate, then selected the certificate from the other AD.when i look at the ACS log, here is the message i can see: 22044 Identity policy result is configured for certificate based authentication methods but received password based
I got many certificates errors. When ISE Server tried to retrieve CRL: CRL verification failed - possibly signed by wrong or unknown CA,When client tried to connect using EAP-TLS: X509 decrypt error - certificate signature failure.
I cannot import certificate from CA (Certificate Authority). When I attempt to install the certificate to CSACS SE 4.2, the following error occurs during installation: "Unsupported private key file format".
Been tinkering around in our ACS 5.2 appliances today to setup PEAP. I generated a self signed certificate under local certificates which I want to remove now. But when I try to delete it I get the following message:
This System Failure occurred: Certificate is associated with a protocol. Hence it cannot be deleted.. Your changes have not been save. Click OK to return to the list page.
I assume this is because it is associated with the EAP protocol, but I cannot uncheck the box when I edit the local certificate. How can I get rid of this test certificate?
I have just renewed the self signed certificate on a v5.2 ACS and expiry date of 2013 is showing in the ACS GUI. However, when I start an ACS Admin session and view the certificate information in the browser it is showing the old expiry date of 2010. I have tried this in IE and Firefox and the certificate information is the same.
Is there a way I can get the browser to pick the new certificate ?
Cisco ISE 1.1.1 is given Certificate error while trying to access any of nodes. It is started after adding other nodes in to primary node. Accessing by IP's redirect to other nodes suppose if we accessing primary admin node by IP, it redirect to other nodes (secondary nodes or other nodes).
We use a combination of Cisco ACS and Cisco catalyst 3560 switches for network authentication and authorization. Clients (Windows XP) have a certificate installed which will grand access to the network and put them in the correct VLAN. So far, so good. Some users are testing with Windows 7 in the same set-up as above and run into strange behaviour. The problem is that after a random timer the machine gets de-authenticated and nothing besides a reboot works to get the computer authenticated again (from a Windows point of view). It looks like this only happens to users who are using a certificate to authenticate, Windows 7 MAC bypass users have no such problems. If it occurs, the following logging appears in ACS: [code] We are using ACS 4.2(0) Build 124 and 3560-48PS switches with IOS 12.2(55).
i have a wireless deplyoment with WLC 5508, ACS 5.2 and several AD connected by LDAP. It is required that users are authenticated by certificates additional the user should only get access to the wireless environment when the user is found in a certain security group in the Microsoft AD forrest. The certificate based authentication is working without any problems, except the lookup into the AD isn't working. Here are the Details of the "Evaluting Identity Policy"
Evaluating Identity Policy 15004 Matched rule 22037 Authentication Passed 22023 Proceed to attribute retrieval 24031 Sending request to primary LDAP server 24016 Looking up user in LDAP Server - Alex Dersch 24008 User not found in LDAP Server 22015 Identity sequence continues to the next IDStore 24209 Looking up Host in Internal Hosts IDStore - Alex Dersch 24217 The host is not found in the internal hosts identity store. 22016 Identity sequence completed iterating the IDStores
but the user can access the WLAN just without verifying the user in the AD. i tried the to enable Binary Comparisation but then the Authentication is not working any more. I get the same Identity Policy result as above.
i configured the Binary Comparisation as below:
I though with the binary comparisation i'll be able to verify the existance and the status of an user in the Active Directory.
we currently have a remote access asa setup using Anyconnect with self signed certificate, and several users in the certificate database as we are using radius and certificate for authentication.
I want to purchase and obtain a trusted CA signed certificate (such as Verisign) and replace the current self signed cert.
My question is will I have to reset the current CA server of the ASA and replace the certificate user database? ie start from scratch.
Currently the ACS 5 is authenticate the iPhone/iPad by using the MAC address (which is entered manually) and AD user/password, i need to do that with certificate, so it will be scalable.
I'm trying to export identity certificates from an ASA 5510 to 5520, I'm exporting in pkcs12 format and specifying a passphrase. When attempting to import to the 5520, I get "error import pkcs12 operation failed" from cli or asdm.
to grant not to show the certificate error adevertise to all clients connecting to guest services (because obviously they don't have the CA root certificate of our company), we have purchased a wildcard certificate from Verisign in order to work with all of our PSN Common Names and friendly url for sponsor and mydevices. But when I try to import it to more than one PSN the following error message is shown " The certificate already exists in the data base".How can I import the same certificate (with the same private key) in every PSN in a node group?
Checking the configuration of the Wireless Notebook no longer requires the digital certificate of the ACS and NVR122 NVR123as worked in the past. The certificate is generated for the ACS root CA trusted by the COMPANY, so that the public CA certificate supersedes theprevious ACS. Therefore, any host that is in the field of company would have access to the wireless network. With this, the 8021x is working with a certificate that is common to all hosts in the field of business. How do I change it?
I have a pair of ACS appliances running 5.1 code. The appliances are set up as a replicated pair. I have valid local and trusted certificate authority certificates on the primary.
The trusted certificate authority certificate gets replicated to the secondary. Obviously the local certificate doesn't get replicated. I need to generate a certificate signing request on the secondary but it doesn't seem to allow you to do it.
We plan to use machine certificates on our notebooks with Windows Vista. Our authenticating server is Cisco ACS 5.1. To access the wireless network we want to use the machine certificate of the notebook and a verification of the corresponding computer account in the Active Directory. What authentication method is the best to check the machine certificate and if in the Active Directory exist the enabled corresponding computer account ? How to configure the ACS and the notebook to use it like described ?
I need this SSL certficate installation on my acs appliance 1120 for PEAP clients.I have exported SSL server certficate from my old acs 3.3 server which is under acscertstore folder issued by CA vendor . I need to reuse this same SSL certificate on my acs appliance .ACS appliance certficate setup requires following two certificate to be installed for PEAP clients authentication
1) Server Certificate
2) CA certificate
Server Certificate : For server certifcate , I have my old certificate which is exported from my old acs 3.3 server , when i tried to download my server certficate via ftp server on my acs appliance , its looking for private key & private key file .Private key & file is generated intially on CSR request when this server certificate is requested to CA vendor for my old acs 3.3 . I dont know the private key password . If i need private key & file , then i need to generate new CSR from my acs appliance and i need to submit this CSR output to my CA vendor to generate new SSL server certificate .which is something like new server certificate request .CA certficate : For CA certficate , when i open my existing SSL certificate under detials tab in CRL distribution point , i could see below URL . whn i open this URL it giving certificate revocation list . [1]CRL Distribution Point.
