I installed a chained SSL cert on our anchor/guest 4402 a few years ago.We now have a need to replace the 4402 w/ a 5508, and I got everything configured, ready to go, except that darn cert.I can no longer locate the private key that was used to sign the original CSR.Is there any way to export the current cert from the 4402, so that I can import to the 5508? Or am I SOL?
I am wanting to use a cert signed by a digicert or verisign on my ASA so that anyconnect doesn't frreak out with the untrusted cert. I have created the CSR, and I uploaded the certificate, but it is still showing the old self signed untrusted cert.
When trying to do a cut-n-paste enrollment of a cisco 3725 router with a microsoft windows server 2003 CA i get the following error on the CA.Certificate Services denied request 8675 because The request subject name is invalid or too long. 0x80094001 (-2146877439). The request was for OID.1.2.840.113549.1.9.2=rtr31slied3.unit4agresso.com. Additional information: Error Constructing or Publishing Certificate This is when i use the router or webserver certificate.The only template that does work is the user certificate but then you get error messages that the router name doesnt match the cert name.The 3725 is running ios version 12.3(14)T3.How can we get the right templates to work ?
how to install a wildcard certificate with only the .cer file. I've found quite a few things here in the forums, but everyone seems to also have a pkcs12 file, which I do not.
I know that CSRs cannot be generated with multiple names, but if the SAN is added after the cert is ordered from Geo Trust, Veri sign, etc. can the CSS support using the cert?
I have a need to utilize two factor authentication using a machine certificate and users AD crednetials. What we would like to do is to have the ASA and AnyConnect verify the certificate exists, check against our in house CA for validity, if valid pass the user credentials to the AD servers and establish the tunnel. If not valid quarantine the session and pop a message to the user to contact the help desk ASAP. My guess is the following (using ASDM 6.6, ASA 8.6.1, ASA 5545-X):
1. under the connection profile I have select BOTH for authentication and added a AAA server group.
2. under Cert Management I have added the 3 certs that are present on all company mobile assets
- Cert America - Cert Europe - Cert Root
3. I have an identity cert installed from the company CA and it is selected as the device cert under connection profiles
4.Local Cert Authority is Disabled
5.Under Remote Access>Advanced>Certs for AnyConnect>
- I have mapped DefaultCertifiateMap pri 10 to Company_Cert connection profile
- The mapping is looking for Subject: CN: <Contains> (string) ----where string is a common component of each Cert listed in #2.
Question #1 - Is this correct for utilizing certs and AD auth or have a missed any steps?
Users are directed to a an initial installation URL - where the AnyConnect client performs the installation and passes down the intial AC profile which auths using only AD creds. On subsequent connections users who pass the certificate mapping check are migrated to the connection profile which uses the dual authentication method.
Question #2 - When I attempt a new installation of AnyConnect using the two factor URL . I receive an error "certificate validation error" and the installation fails - for the life of me I can not figure out why???? The machine has all three certs, using IE9 as the browser.
I have a cisco 5508 WLC that I have setup WebAuth on and trying to install the certificate on. I have generated the csr and gotten my cert from Verisign (X.509, server platform=apache). I have followed the instruction via the cisco documentation url...I found an error in uploading and find out how to encrypt mykey: url...
I am also having exactly the same issue with a certificate from Thawte. I followed the unchained guide and have tried both with and without a password in the initial step key generation step, requesting a new cert each time. As with Jeensernchew's issue there are no errors in OpenSSL but when uploading the cert to the WLC get the following error. [code] The WLC is running version 6.0.196.0. I am using OpenSSL 1.0.0 29 Mar 2010.
When I requested the cert from Thawte I was asked to specify the device type, I chose Cisco, but as all the work and conversion is being done by OpenSSL, should I have chosen differently? When I do this I can load the cert in the 5508, but the controller fails and doesn't allow that VLAN or config access to the wireless network. I am at a loss of why I can load and it not work. I have verified my hostname and password and those are good.
We currently are using a self-signed cert (for PEAP machine authentication) that was created on an ACS 3.3 appliance. That cert was manually installed on our laptops when they were configured for wireless conenctivity.My problem is, that self-signed cert will soon be expiring and I am not sure what needs to be done to issue a new cert AND deploy it to my Windows XP Pro clients without a service interruption. If possible, I'd like to leverage our exsiting AD infrastructure for this, but I need some direction, and time is of the essence!!
I've seen a bunch of discussions on the untrusted server cert error with self signed certs. But I have a valid wildcard that I use on my ASA. How do I make that work with out the untrusted server cert error?
I have a client that needs to update a certificate on their 2125 controller. They have created a .pfx cert that does not work because of file type. I wanted to see what the best pratice would be for me to follow installing this cert and do I need any additional cert like a CA. I found a document but am not so sure that it is exactly what I need.
AIR-WLC2125-K9 : JMX1248K0EL System Information Manufacturer's Name.............................. Cisco Systems Inc. Product Name..................................... Cisco Controller Product Version.................................. 6.0.188.0 RTOS Version..................................... 6.0.188.0
So since my web auth cert is expiring I got it renewed from VeriSign and they sent me back the file. Do I need to again combine the "myprivatekey.pem" file and the new one that I got and then load it on the WLC? Can't find any guidelines and instructions from Cisco on this. Or do I need to go through the whole regenration of CSR process again etc?
We are currently evaluating ISE and I am stuck with the PEAP authentication (with Server side Cert).Our current setup consists of two 5508 controllers, 30+ access point. For authentication we are using PEAP with (server side Cert). We have an IAS server which is also acting as a CA server. We are using Cisco’s NAM as a supplicant on Windows XP & 7 workstations. I would like to use ISE for authentication. I would like to use PEAP with Server side Cert (similar setup like IAS). I want ISE to perform the same function in addition to profiling etc.....
I was able to integrate ISE with Active Directory but could not get it working with PEAP (server side Cert). I would also like to know if they used Microsoft’s CA server or Open SSL CA server or a third party CA server (Go Daddy, VeriSign etc.)Can you we ISE as a CA server just the way we used Microsoft’s IAS Server as a CA Server?
I have ACS4 and i am planning to upgrade to ACS5.I would like to have such a rules:I have user1, one ASA device which is VPN concentrator for remote users.ASA have two different tunnel-groups: one which allow for logging via certificate (with mandatory pki authorization thru ACS) with disabled Xauth,and second tunnel-group with allow login thru typical Xauth with authorization thru ACS which users external database (RSA Tokens).So i have one user1 which can login thru VPN using RSA tokencode or certificate.For example: on phone user1 uses certificate, and on PC station the same user1 uses token password.For tunnel-group with pki authorization ASA checks username in ACS and in typical scenario login="CN from certificate" and password="CN from certificate". So we would need "two credentials" for the user - one for pki authorization, and second one external database (RSA token).Is such scenatio possible under ACS 5 ? where one user uses different credentials based on tunnel-group usage ?
I'm trying to migrate old data from WCS 7.0 to Prime 1.2 ... I have already created the zip file from WCS and imported it into the defaultRepo on Prime. I see it in the directory when I do a show repository defaultRepo so I have confirmed that it is there. My issue is that it appears Prime 1.2.1.012 won't accept the cli command of ncs migrate.
how I can proceed with the migration? I haven't been able to find any similar command in the Prime CLI so at this point I'm lost as to where I should go from here. I really don't want to have to tell the customer they have to downgrade to Prime 1.1 in order for them to perserve their maps especially since the Deployment Guide for Prime Infrastructure states that it is possible to migrate date from WCS 7.0 to Prime 1.2 as shown below ...
Data Migration # Data can be migrated from WCS 7.0, NCS 1.1, or LMS 4.x. More details on migrating data from each of these applications are spelled out in the following sections.
I have done a WCS 7.0.220.0 to NCS migration prior to moving to Prime 1.2. I followed the instructions to export the WCS database via the export.bat all command and exported the database. However, when I import this zip fileto NCS there do not seem to be any of the original WCS templates. All the maps and AP details have migrated but no templates.
I have tried the export again and ploughed through the resultant zip file looking for anything that looks like template files but there is nothing immediately apparent that looks like templates.
See no devices both in DCR and RME, besides, in RME device counters (Normal/Pending/etc) are equal to current device count, but then you try to select them for any operation, you unsucceed - 0 device selected, no list of devices, unable to export, no ability to do anything.
Upgraded to 3.2 SP1, no change. Spend a lot of time digging through logs at /usr/adm/CSCOpx/logs, find no problems at all. Seems, that some database parts were corrupted.
I decided to reinstall LMS from the scratch, but to do so I need to export the DCR device data and credentials.
Database is alive (dbaccess.pl install going smoothly, then connection with user lmsdatafeed works and allows to connect and select data from any SQL tool), but this view is not enough for getting from the DCR both device data and credentials.
I have the DB password I set up during installation.
Is there any way to get data I need connecting to LMS database directly with some kind of sysdba SQL database user?
I'm moving from a 5505 to a 5520 and moving to a different location. I have a certificate on the 5505 that I want to export to the 5520.Can I export that key/certificate and import to the new ASA? Is there a problem since its a different location with a different IP ? (Domain name is the same, I moved the name on the DNS also)Do a have to re-do the signing process with the CA ?
I am trying to export our network devices from ACS and I can't find out where it is exporting it. Under ACS 5.2 "Network ResourcesNetwork Devices and AAA Clients" you get the list of your network devices and at the bottom of the page there is an export button. When you click it you are given an option to password protect it which I didn't check the box and I pressed Start Export. The window flickers like it processed the request, but nothing happens. There isn't any pop-up to download the CSV. I have also tried setting up a software repo thinking it might just send it to that, but it didn't work either.
How to export Air Quality reports from a 5508? I'm pretty sure I have read that we can not look back in time at the Air Quality report from the WLC, but can from NCS. If NCS was in the picture, can the Air Qaulity Report somehow be exported?
cisco 2651XM router with WIC1 adsl card and NM-16ESW switch IOS: c2600-ipbasek9-mz.124-23.bin
I use the following config to export traffic from the adsl card to a fasterthernet port so I can look at the adsl traffic in wireshark on a pc:router(config)#ip traffic-export profile my_rite router(conf-rite)#int FastEthernet 0/0 router(conf-rite)#bidirectional router(conf-rite)#mac-address abcd.efgh.ijkl (mac address of PC) router(conf-rite)#exit router(config)#int dialer0 router(config-if)#ip traffic-export apply my_rite this config works and I can see stuff going on in wireshark but it's only one way. This config only shows traffic going out from my adsl card, but no incoming. There is defintely traffic going both ways because everything about my adsl connection is working perfectly. I've tried using a different fastethernet port, even tried exporting to a different pc but all I see is outgoing ie: source is my public ip address but never as destination . I have bidirectional in the config but it still only shows outgoing. I even tried a different IOS (c2600-adventerprisek9-mz.124-15.T8.bin) but still it doesn't show incoming traffic. Could it be my ISP in some way hiding incoming traffic from view?
Creating several Inventory-Report Templates via Report Designer I was asking myself how to export/import these templates for use on other systems, performing backup.
I am using a Thrid party NetFlow tool, Enabled NetFlow on the Cisco 6500 as per recommendations and getting only half amout of traffic passing thorugh the interfaces. I have verified with 3 different NetFlow based tools, everything showing the same value. Is there any bug in my Cisco 6500.
I´m wondering if it`s possible to export the defualt web auth portal(web login page) via tftp to a computer from the Cisco WLC 5508 and then modify it and then import that customized portal to the WLC 5508?
I want to export the ACS local user's records.Then import to other ACS5.3 server.But the export file not the user's password record.I cannot import it well....
I have new ASA 5520 units currently we are using ASA 5510... I have to migrate all the configuration to the new ASA 5520 units....I am wondering is there a possible way to export and import certificates from ASA 5510 to 5520....
how to export or copy all the configurations, plug-ins, certificates from 5510 to 5520.Existing configuration snapshot...CA certificates from third party installed for authentication and identity certificate from Verisign
We are trying to sniff traffic in one of our routers 2811 IOS 12.4(3f) capturing data into the flash memory and tftp later to one of our servers. We had followed the command procedure as it is indicate in Router IP Traffic Export Packet Capture Enhancements doc but it seems that the mode capture option is not alllowed in my router. My question is Why? I had read the doc and the hardware and software should support this feature.
ROM: System Bootstrap, Version 12.4(1r) [hqluong 1r], RELEASE SOFTWARE (fc1)
yourname uptime is 2 weeks, 4 days, 22 hours, 14 minutesSystem returned to ROM by power-onSystem image file is "flash:c2800nm-ipbase-mz.124-3f.bin"
Cisco 2811 (revision 53.51) with 251904K/10240K bytes of memory.Processor board ID FCZ104174196 FastEthernet interfacesDRAM configuration is 64 bits wide with parity enabled.239K bytes of non-volatile configuration memory.62720K bytes of ATA CompactFlash (Read/Write)
I have an ACS applicance that had a version 5.1 and i did an upgrade to 5.3 with latest patch.For some reason, the runtime process got stuck in (reinitializing and restarting) state.i did the recommended action to perform ACS stop and ACS start and even hard reset of the appliance, but it did not cut itThis process turned out to be a bug and it should have been fixed in version 5.3, but it has not i guess
i know that acs reset-config will solve the issue, but i have a problem here , the license file will be deleted as well with the config and i cannot find a way to export the license and then import it into the reseted config ACS hardware. Unfortunately, the license file is not saved anywhere in the company and i cannot affort to lose it.how to export the license from the applicance (CSACS-1120)?
I have three ASA5505, two firewalls connected to central VPN hub. the central inside network is 192.168.0.0/24,Network A is 192.168.1.0/24,Network B is 192.168.2.0/24,In one of this site (central), I have server with NetFlow collector.,I will collect the traffic information from all ASA at the my one serverCan I configure source IP address (or source interface - inside) for NetFlow packet, originate from ASA? (for example from site A)If it is not possible I think, I can rewrite my access lists and permit udp traffic from outside interface to server IP like this:access-list VPNACL permit udp host <Outside IP site A> host <Inside IP the Server> eq 9996,But I do not understand, what port I must be use in access list on Central site ASA. ,access-list VPNACL_A permit udp host <Inside IP the Server> host <Outside IP site A> eq 9996 ? or, in this place, must be source port in the udp netflow packet?
To enable netflow export on ASR1001, do i need the firewall feaure license or not ?Docs are not really clear, NBAR requires FW license, but i am unsure about Netflow?
I try to export a Detailed Device Report to a CSV. It failes:
<HTML><META HTTP-EQUIV="content-type" CONTENT="text/html;charset=utf-8"> <H1>HTTP Status 500 - </H1><HR SIZE=1 noShade> <P><B>type</B> Exception report</P><P><B>message</B> <U></U></P><P><B>description</B> <U>The server encountered an internal error () that prevented it from fulfilling this request.</U></P><P><B>exception</B>
[code].....
Exporting to PDF works OK.CW is running on Windows server. RME is 4.3.1