Has anyone tried to get two factor authentication working with the asa 5505. I have a CA setup and the enrollment emails are being sent out. But when I go to login to the enrollment site at [URL]. I get a page not found.
I would like to have one factor be a username and password and the second factor being a certificate on the device.
I would like to konw does Cisco ACS 4.x / 5.x natively support Two factor authenication, but not act as a Radius Proxy?
View 1 Replies View RelatedHow two factor authentication can be implemented using cisco acs 5.1 & vasco?
View 1 Replies View RelatedI'm wondering what people are using and/or recommending for two-factor authentication for VPN users on the Cisco ASA platform?
View 6 Replies View RelatedTwo factor setup with Symantec VIP? I just fined setting it up and VIP Service and SA520 seems to be synchronizing correctly but device doesnt direct VPN users for second authentication ?
View 16 Replies View RelatedI want to setup two factor authentication via ACS 5.2 TACACS+ without having to use a token (such as that by RSA). Is there a way to do it?
More info:
Users from unconnected AD domains will be connecting to the routers and switches.There is a certificate server available to generate certificates.SSHv2 is the current login protocol.
I was very excited to read about the two factor authentication that Cisco and Verisign offer through the VIP and SA500 series routers. I purchased an SA540 a month and a half ago. I have been on the phone with support of both Cisco and Verisign ever since. It appears no one actually knows how to make the product work. Finally I was told that they have only tested it on an SA520. So I bought an SA520; however, it doesn't work either. How to use the Verisign VIP two factor authentication with either an SA520 or SA540? If so, what is the trick? If not, how is Cisco advertising this product if it doesn't actually work?
View 3 Replies View RelatedI am trying to set up SSL VPN with two-factor authentication on an ASA5510 with software version 8.0(4). I want to use LDAP for actual authentication and user mapping, but require a valid certificate signed by a particular local CA to connect.I have imported the CA's root certificate, signed an identity cert for the ASA box and imported, and assigned the cert ("trustpoint") to the outside interface.Under the connection profile itself (for DefaultWEBVPNGroup), there is an option to select authentication method as AAA, certificate or both. AAA works as expected, authenticating against LDAP. If I select certificate or both, I get rejected with Certificate Validation Failure regardless of if I have a valid signed cert or not. This is what I see with "debug webvpn 100":
webvpn_portal.c:ewaFormServe_webvpn_login[1904]webvpn_portal.c:http_webvpn_kill_cookie[682]webvpn_portal.c:ewaFormSubmit_webvpn_login[1964]ewaFormSubmit_webvpn_login: tgCookie = 0ewaFormSubmit_webvpn_login: cookie = c98f3940ewaFormSubmit_webvpn_login: tgCookieSet = 0ewaFormSubmit_webvpn_login: tgroup = NULLTunnel Group: DefaultWEBVPNGroup, Client Cert Auth Failed!Embedded CA Server not enabled. Logging out the user.webvpn_portal.c:ewaFormServe_webvpn_login[1904]webvpn_portal.c:http_webvpn_kill_cookie[682]
So, it seems the ASA is only trying to check the cert against a (nonexistent) ASA-based CA. How do I get it to check against an external CA cert?Under "Remote Access VPN -> Network (client) Access -> AnyConnect Connection Profiles", I have ticked "Allow Access" and "Enable DTLS". There is also an option "Require client certificate" which doesn't seem to do anything - whether or not I check it, I can connect and authenticate to the VPN with or without signed certs as long as the previous setting is "AAA".
Some highlights from the config:
crypto ca trustpoint ASDM_pfirewall01.company.tld enrollment terminal fqdn pfirewall01.company.tld subject-name CN=pfirewall01.company.is,O=Company,C=IS,L=Reykjavik keypair company crl configurecrypto ca trustpoint ASDM_TrustPoint0 revocation-check crl none enrollment terminal crl configure no enforcenextupdate no protocol ldap no protocol scepcrypto ca trustpoint ASDM_pfirwall01.company.tld revocation-check crl enrollment terminal no client-types crl configurecrypto ca certificate chain ASDM_pfirewall01.company.tld certificate 02 30820598 30820480 a0030201 02020102 300d0609 2a864886 f70d0101 05050030 <snipped rest of cert> quitcrypto ca certificate chain ASDM_TrustPoint0 certificate ca 00e2a6f08003ded6c9 3082054e 30820436 a0030201 02020900 e2a6f080 03ded6c9 300d0609 2a864886 <snipped rest of cert> quitcrypto ca certificate chain
[code]....
I have a Cisco 4506 With IOS 12.2 54SG1
Iam new on Acs 4.2 and i want to use Certificates to authenticate my windows XP Client and Igels.
On Windows Xp i selected : IEEE 802.1X Authentication enable EAP (Peap)
But i dont understand the Certification of ACS 4.2.
I generated a Self-Signed Certificate. Is this right ? and under installed Certificates the Certificate Status is okay.
Do i have to create for each windows Machine one user Account under user-Setup to authenticate the Machine?
Where do Windows Xp know whitch Certificate he have to take ?
I configures the Switch on Global Configuration like this:
aaa authentication login default group tacacs+ enable
aaa authentication enable default group tacacs+ enable
[Code].....
Iam triying to configure ist szenario till 4 days and it still dont work.. On Windows i Only get the Error" authentication failed" on the Switch the same : dot1x : Authfailed
Recently we updated to the Anyconnect 3.0 client. I see the new 3.1 client is out and we are currently testing it for production. My question though is since updating to 3.0 our end users receive a message at the bottom of their client stating "No valid certificates available for authentication" They can still VPN in since we dont do certificate based authentication but we have been getting tons of questions on this. I would like to stop these messages from appearing and I am not sure if its just how the new client behaves or if its something configured on our ASA's.
View 1 Replies View RelatedA PC with a machine cert gets connected to a switch running 802.1x. The switch uses EAP with .1x to query PC, handing this off to ACS, that bit I'm ok with. The ACS needs to query the CA server to authenticate the PC, its this process I'm not sure about.
Reading the documentation I think that I need to configure LDAP between the ACS and the CA, which is running on 64-bit 2008 server. But, ACS SE remote agent is 32 bit only.
Is this correct, if so how do I get ACS SE to communicate with a 64-bit 2008 CA server?
I have a Cisco ASA 5505 as a BOVPN endpoint using certificates. The config is complete and I now need to back it up and restore to a cold standby Cisco ASA 5505 that will sit on the shelf until something goes wrong.
Problem is I cannot restore my certifcates to the standby.
I have tried the backup and restore wizard in ASDM and to be honest it didn't work.
I'm working on task to update the SSL certificate for an application. steps to upgrade the SSL, stuffs need to be checked before and after the installation and how to verify the new certificates.
View 1 Replies View RelatedI have cisco ASA 5505 with security plus, i configured remote VPN with ASA for LDAP authentication which works as i want. Now i have a requierment that some users needs to get access via remote VPN but they are not part OUR SERVER Active directory, Is that a possibility that users have an access of remote VPN while not creating an account in AD and perfrom local authentication via firewall for them?
View 1 Replies View RelatedWe have three AD/DCs (2) in the datacenter and (1) locally
A couple of our users cannot:
Install a program that authenticates against AD
Create Mapped drives on their workstations
All of these users have full local Admin rights on their workstations.
I've restarted all the AD/DCs
I've checked and modified local security policy a couple of different ways.
I've checked Kebros authentication logs for errors.
On the static machines I've individually tested each of the DNS servers with no issues.
Here's the weird part:
Take those same machines...and move them into our static IP range 10.10.1.2-254 and boom ( things start working) .
Example of our network
10.10.1.1 /24 256 addresses Static Win 2003 R2
10.10.2.1 /23 512 addresses DHCP via ASA 5505 at a remote site
10.10.4.4 /23 512 addresses DHCP Win 2003 R2 with some of the addresses excluded at the datacenter and the other addresses excluded from distribution locally: This is so that when we have an outage machines don't go nuts from the loss of contact to the DHCP at the datacenter.
10.10.8.1 /22 1024 addresses DHCP Win 2003 R2 Not in use currently.
I am facing strange behavior in Windows 7 and Windows Vista.I have a client program in my PC and server program outside network.I can see that some time TCP WINDOWS SCALING working and some time not.In first Log after 3 way handshakes established I can see data transfer happening bocs from log I can see it is settings SCALING factor.
But for some cases where I see that connection happened but data transfer not happening (May be my network does not work without Scaling..) I can see my WINSOWS TCP stack has not set SCALING in SYN request.Hence in 2 nd log I can see "Scale factor not supported"...though I enabled SCALING in my WINDOW .
You can see in 2nd log :: [ Win=8192 ( ) = 8192 ] - not settings scaling factor some time.How to fix this issue so that Windows 7 / Vista always set SCALING in SYN request.
My TCP Settings :::
Receive-Side Scaling State : enabled
Chimney Offload State : automatic
NetDMA State : enabled[code].....
We have a business case where we have a group of ASA 5505's in 3 locations with anyconnect user licensing on all 3 for redundancy.The problem we are facing is that when we need to authenticate our anyconnect clients we use active directory servers located at site 1 and the other 2 sites need to contact these MS AD Servers over an already connected VPN tunnel to site 1 (IPSec l2l) but cannot.So the layout is as follows:Site 1 (houses AD servers) has l2l tunnels to site 2 and 3Site 2 (any connect essentials enabled) has l2l tunnel to site 1 and 3Site 3 (any connect essentials enabled) has l2l tunnel to site 2 and 3AD servers are ip'd as 10.1.1.11 and 10.1.1.4If I use anyconnect to site 1 it authenticates fine - as expected.Site 2 and site 3 fails to contact AD serverAny thoughts on how we can accomplish this(or is it even possible to do?) without exposing the AD server in a DMZ or via external ip?
View 1 Replies View RelatedI currently have a working metro ethernet connection between our main office and a branch office. I am tasked with building a redundant route for this site, in case the metro-E line goes down. We are purchasing two cable internet lines at each sight and I plan on buying two Cisco routers to do the VPN tunnel via the new cable Internet connection. The metro ethernet connection currently has two HP 3500s on each atm.2 questions:
-How will OSPF and VRRP factor-in to such a setup?
-What Cisco routers are recommended that can utilize this protocol?
The HP 3500s can do either OSPF or VRRP.I have been purchasing and setting up refurbed Cisco 1811 routers for other VPN tunnels and they work great.
I'm trying to set up my Cisco ASA 5505 to authenticate against and openldap server. Authenticate with a user's LDAP username and password is working fine.
I've hit Google pretty hard but can't seem to find a simple answer. It seems like RADIUS might be easier for this kind of thing, but I haven't gotten that set up yet and my familiarity with RADIUS is pretty minimal right now.
Any instructions to configure an ASA to allow authentication by certificate only on an AnyConnect vpn?I'm running an ASA 5505 with 8.4(1) and AnyConnect 2.4.7030 on an Android phone.I currently have the AnyConnect client connecting ok using username / password for authentication.
I have loaded the company root certificate (internally generated) into the ASA "CA Certificates" and generated an Identity Certificate for the ASA.
I'm trying to set up a 5505 (running 8.3) so that i can use the client vpn through RADIUS authentication.I have set up a new local RAIDUS windows box and used the ASDM asistant and a few other guides to setup the 5505.
View 3 Replies View RelatedHow i can use both LDAP Authentication and local user database to authenticate the remote vpn clinet in asa 5505?
when i try to do the things either only one method is working both are not working at a time.
I have access to an ASA running 8.4 and I need to copy the config to another one, to have it has as a spare.All configuration has coppied fine except for this part in the config;
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=GS2-NT-FIR-01
proxy-ldc-issuer
crl configure
[code]....
So firstly, I assume this certificate is for the SSL vpn that is configured on the ASA? Secondly, this wouldn't copy across (the HEX part). But I believe this ASA is using a self signed cert so instead I probably ned to generate a new one on this spare ASA, so how do I do that?
I am delving into the world of Certificates and the ASA. I am having the HARDEST time grasping this though. I've poured over Cisco whitepapers, been reading through books and things just aren't solidifying in my head. So my question is, how do Certificates for SSL work on the ASA? Where does the data transmit and how does an ASA talk to a CA and User for things?
Lets do this basic topology for the discussion:
End User------SSL VPN---> ASA--->Internal CA
So in theory we are supposed to create a certificate and install it on the ASA and then set the outside interface to trust that cert?
How do identity certs and root certs also work out on the ASA? I have instructions that pretty much say
Create RSA key
Create new trustpoint
cry ca auth newtrustpoint
cry ca enroll newtrustpoint
cry ca import ?
So what are all of these steps specifically doing? Also in ASDM it shows a normal Certificate and an Identity Certificate. I can't really figure out the difference between the two. Does one cert talk to the CA and the other identify the ASA to the CA?
My ASA's have the follwing Versions: ASA Version 8.4(3) ASDM Version 6.4(7)Have I a chance to configure a site-to-site tunnel with a hostname as peer address when I will use Identity and CA Certificates?
View 2 Replies View RelatedI want to use a different certificate by connection profile. Is-it possible on ASA 8.4 ?
My first certificate is for vpn.itcom.fr associated to one connection profile and my second is for vpn.newitcom.fr associated to a second connection profile.
I have generated request and our CA server gave us two files, one is certificate from CA itself, one is the certificate CA created for the ACS. I used the "Bind CA Signed Cerficate" under "local certificated"Option to bind the latter. it shows successful.and a web access from any pc will give you error info, "that the security certificate presented by this website was issued for a different website's address." And all the while I dont know how to deal with the other file, which is "Internal CA certificates" I was try to use the first option import server option, but it seems not right,
View 1 Replies View RelatedI have configured MS CA and i setup vpn client and ASA 7.0 to make tunnel with certificates.Same configuration does not work with ASA 8.0 I get error
CRYPTO_PKI: Checking to see if an identical cert is
already in the database...
CRYPTO_PKI: looking for cert in handle=d4bb2888, digest=
b8 e5 74 97 f3 bf 25 1c 2e e5 21 3e d1 93 d6 15 | ..t...%...!>....
CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND
CRYPTO_PKI: Cert not found in database.
[code]....
Why the key usage is invalid? What certificate template must be used in MS CA in order to get a regular key usage?
I have an ASA5540 running 8.4(3) which has CA and identity certificates from godaddy.com installed, identifying the ASA to VPN remote users (the are using the anyconnect client.) There is also a separate certificate server located on the inside LAN that is used for internal purposes. All client workstations have identity certs from this internal server.
We would like to be able to continue using the existing godaddy CA/identity certs to identify the ASA to the clients, but we'd like to use the internal CA server to identify the clients when they initiate the AnyConnect session to the ASA.
I have seen other postings that state you cannot have more than one vert on an interface, but this is a little different - only one cert needs to be used to identify the ASA. The other one is only to identify the users. The ASA did allow me to import the internal CA cert.
Which certificates do I install on the ASA 5510 ???
I have a Trust External CA Root, Trust Server CA, Extended Validation Secure Server CA and the name of the domain all ending in CRT. Yet the instructions only refer to two certificates ?
I want to use multiple cert (enterprise certs and verisign cert) for authentication in wireless.Users that have their computer in the domain should use EAP-TLS and PEAP (verisign) are for users in the domain but on non-domain computers.I can only enable one certificate in system adminstration->local server certificates-> local certificates to use EAP.I have installed both enterprise and verisign cert in the CA store in User and Identy store and enbled the enterprise cert for EAP-TLS.The EAP-TLS connection works fine when the enterprise cert is enabled for EAP (in local certificates) but PEAP does not. If I enable EAP on the verisign cert in local certificates the enterprise cert get EAP disabled and that authentication stops working av PEAP starts working.
Is the ACS5.2 only able to have one certificate enabled at the time for EAP?
I've tried to piece this together with SSL Remote Access VPNS, Understanding PKI and the Cisco's ASA 5500 Series Chapter 73 Configuring Digital Certificates. Below is a basic config I use to create the CA and ID certs on ASAs. I use the ASA as the CA server. When I export the SSL trust point it doesn't show chaining from the CA. Since there is no chaining when I load the CA certificate in the Root Store I still an SSL Certificate error. Instead I have to load the SSL Trustpoint Certificate.
CREATE CA
crypto ca server
smtp from-address admin@Cisco.local
lifetime ca 3650
lifetime certificate 3650
lifetime crl 24
[code]....
I originally thought it was a problem with enrollment self in the trustpoint, but I cannot figure out the steps to complete enrollment terminal. I got to the steps of crypto ca enroll Identity_Certificate and displayed the certificate request. At that point the sh crypto ca trustpoint Identity_Certificate is pending enrollment. I can not find the command for the CA that allows trustpoint enrollment. If I try to crypto ca export Identity_Cetificate identity-certificateit says trustpoint not enrolled. Of course if I take the enrollment request and attempt to crypto ca import Identity_Certificate certificate it fails because it's not the cert.
We're looking to deploy a certificate-based VPN solution for users with mobile devices (iPhone, iPad, and Android devices at minimum).We currently have CheckPoint firewalls (with VPN capabilities, currently unused), SonicWall, and Aventail devices at our disposal, but would not be against adding new equipment if the solution is secure, easy to deploy, and easy to manage.We want to use client certificates for authentication, though we currently have no infrastructure in place for such a thing.I'm looking for starting points/reference documents to learn to deploy:
* Certificate infrastructure, including a secure and manageable way to deploy certificates to devices, and revoke them if devices are lost or stolen.
* VPN concentrator configuration guides (whether it be Cisco or one of our existing VPN-capable devices).
