Two factor setup with Symantec VIP? I just fined setting it up and VIP Service and SA520 seems to be synchronizing correctly but device doesnt direct VPN users for second authentication ?
View 16 Replies
I was very excited to read about the two factor authentication that Cisco and Verisign offer through the VIP and SA500 series routers. I purchased an SA540 a month and a half ago. I have been on the phone with support of both Cisco and Verisign ever since. It appears no one actually knows how to make the product work. Finally I was told that they have only tested it on an SA520. So I bought an SA520; however, it doesn't work either. How to use the Verisign VIP two factor authentication with either an SA520 or SA540? If so, what is the trick? If not, how is Cisco advertising this product if it doesn't actually work?
View 3 Replies View RelatedI would like to konw does Cisco ACS 4.x / 5.x natively support Two factor authenication, but not act as a Radius Proxy?
View 1 Replies View RelatedHow two factor authentication can be implemented using cisco acs 5.1 & vasco?
View 1 Replies View RelatedHas anyone tried to get two factor authentication working with the asa 5505. I have a CA setup and the enrollment emails are being sent out. But when I go to login to the enrollment site at [URL]. I get a page not found.
I would like to have one factor be a username and password and the second factor being a certificate on the device.
I'm wondering what people are using and/or recommending for two-factor authentication for VPN users on the Cisco ASA platform?
View 6 Replies View RelatedI want to setup two factor authentication via ACS 5.2 TACACS+ without having to use a token (such as that by RSA). Is there a way to do it?
More info:
Users from unconnected AD domains will be connecting to the routers and switches.There is a certificate server available to generate certificates.SSHv2 is the current login protocol.
I am trying to set up SSL VPN with two-factor authentication on an ASA5510 with software version 8.0(4). I want to use LDAP for actual authentication and user mapping, but require a valid certificate signed by a particular local CA to connect.I have imported the CA's root certificate, signed an identity cert for the ASA box and imported, and assigned the cert ("trustpoint") to the outside interface.Under the connection profile itself (for DefaultWEBVPNGroup), there is an option to select authentication method as AAA, certificate or both. AAA works as expected, authenticating against LDAP. If I select certificate or both, I get rejected with Certificate Validation Failure regardless of if I have a valid signed cert or not. This is what I see with "debug webvpn 100":
webvpn_portal.c:ewaFormServe_webvpn_login[1904]webvpn_portal.c:http_webvpn_kill_cookie[682]webvpn_portal.c:ewaFormSubmit_webvpn_login[1964]ewaFormSubmit_webvpn_login: tgCookie = 0ewaFormSubmit_webvpn_login: cookie = c98f3940ewaFormSubmit_webvpn_login: tgCookieSet = 0ewaFormSubmit_webvpn_login: tgroup = NULLTunnel Group: DefaultWEBVPNGroup, Client Cert Auth Failed!Embedded CA Server not enabled. Logging out the user.webvpn_portal.c:ewaFormServe_webvpn_login[1904]webvpn_portal.c:http_webvpn_kill_cookie[682]
So, it seems the ASA is only trying to check the cert against a (nonexistent) ASA-based CA. How do I get it to check against an external CA cert?Under "Remote Access VPN -> Network (client) Access -> AnyConnect Connection Profiles", I have ticked "Allow Access" and "Enable DTLS". There is also an option "Require client certificate" which doesn't seem to do anything - whether or not I check it, I can connect and authenticate to the VPN with or without signed certs as long as the previous setting is "AAA".
Some highlights from the config:
crypto ca trustpoint ASDM_pfirewall01.company.tld enrollment terminal fqdn pfirewall01.company.tld subject-name CN=pfirewall01.company.is,O=Company,C=IS,L=Reykjavik keypair company crl configurecrypto ca trustpoint ASDM_TrustPoint0 revocation-check crl none enrollment terminal crl configure no enforcenextupdate no protocol ldap no protocol scepcrypto ca trustpoint ASDM_pfirwall01.company.tld revocation-check crl enrollment terminal no client-types crl configurecrypto ca certificate chain ASDM_pfirewall01.company.tld certificate 02 30820598 30820480 a0030201 02020102 300d0609 2a864886 f70d0101 05050030 <snipped rest of cert> quitcrypto ca certificate chain ASDM_TrustPoint0 certificate ca 00e2a6f08003ded6c9 3082054e 30820436 a0030201 02020900 e2a6f080 03ded6c9 300d0609 2a864886 <snipped rest of cert> quitcrypto ca certificate chain
[code]....
I am currently trying to configure a Remote Access VPN on a SA520 (Primary Firmware Version 2.1.51) using Cisco VPN Client (Ver 5.0.07.0410)
Until now i have connectivity from the SA to the LAN and i can connect using the Cisco VPN Client to the AS:
[IKE] INFO: IPsec-SA established[UDP encap 12856->4500]
[IKE] INFO: IPsec-SA established[UDP encap 12856->4500]
It gives me an IP from the pool but i can not reach through ping to my LAN.
I am trying to configure the DMZ on my SA520 router but without success.After a lot of tests I reduced everything to a very simple test case that is not working: I setted the "Optional Port Mode" to "DMZ" and enabled "DHCP Server" in the "DMZ Configuration", but DHCP on the DMZ does not assign any address.I am wondering if my optional port is broken or not.
View 4 Replies View RelatedI have a fibre connection on the dedicated WAN which was working perfect until someone somewhere cut through the line. The SA520 fell over to the Optional WAN port which is basic ADSL line which is connected. Logmein client is online too.
But it refuses to browse webpages, appears to be a dns issue or firewall or both.
I have added the ISP dns addresses into the forwarders on my server.
We have Cisco SA520 and we want to use VPN to access the office servers from home. We have been able to configure the VPN server on the SA520 however the connection is very unstable.We use OS X 10.7 lion built-in Cisco compatible VPN clients and this is a typical output of ping from 3G mobile network to a server inside the office network. It works the same way also if I am trying to access from my home ADSL connection so the problem is not the instability of the 3G connection.
Some sample traffic sequeezed:
PING ns.svm (192.168.60.27): 56 data bytes
64 bytes from 192.168.60.27: icmp_seq=0 ttl=63 time=98.022 ms
64 bytes from 192.168.60.27: icmp_seq=1 ttl=63 time=76.934 ms
64 bytes from 192.168.60.27: icmp_seq=2 ttl=63 time=278.201 ms
[code]....
We have a Cisco SA520 Router (Firmware 2.1.18)We are only using this for about 1 month now. Router seems ok its justI am worried about the Memory utilization which reach to 62% (144/234 MB)Is this something to worry about?How can I utilize this by lowering down the usage?
View 3 Replies View RelatedI have an SA520 setup and all my users can login to the SSL VPN tunnel except one user. The laptop is running windows 7 64bit and had IE9 installed. When I try to connect her to use an SSL VPN Tunnel, I get the following error: Cisco-SSLVPN-Tunnel Install Failed: Error in getting proxy settings!. I have made sure the firewall was turned off. How to get the ssl tunnel connected?
View 3 Replies View RelatedSo I went to update the firmware on my SA520 last night and aparently something failed, the device restarted and now it doesn't respond to anything. The Diag light stays light and the factory reset button does nothing no matter how long I hold it in. Is there another way to reset the device?
View 2 Replies View RelatedIs PVID the same thing as "native vlan"? Can the native VLAN be changed on a SA520? Currently I believe it to be 1, I'd like to change the native VLAN to 10.
I have a scenario where I have a prexisting production LAN of 192.168.1.0/24 . It's a small organization (a church), but they purchased 3 Aironet 1130ag units. They want to have a "private" WLAN that is part of 192.168.1.0/24 , and a guest WLAN of a different subnet (I chose 192.168.20.0/24) . The two should never meet. There will likely never be a guest computer connected via ethernet. Guest computers would always have to connect wirelessly.
I left VLAN 1 on the SA520 192.168.75.0/24 subnet as default.I created a VLAN 10 , 192.168.1.0/24 subnet, and I created a VLAN 20, 192.168.20.0/24 subnet.Ports 1-3 of the SA520 are members of VLAN 1, 10, and 20 (cannot remove membership of VLAN1, which is pretty annoying).
Both are secured by WPA, and when I connect, the proper DHCP subnet passes from the firewall through to the wireless client, for each respective SSID.Ultimately, I'd like the SBS 2003 server to handle DHCP for VLAN 10, and have the SA520 handle DHCP for VLAN 20, but i'll take what I can get.
The original production LAN is connected via an unmanged switch.I'd like to trunk the unmanaged switch to Port 4 on the SA520. However, since the PVID (native vlan?) of SA520 is 1, and I cannot make Port 4 on the SA520 ony a member of VLAN 10, then anything traffic coming from the unanaged switch will automatically be tagged with VLAN1, correct? Thus causing the already existing production network to start receiving DHCP from the firewall in the 192.168.75.0/24 range.
How could i make a vpn tunnel between a router SA520 and a central UC540.
View 3 Replies View RelatedIs there a way on the security appliance SA520 to remove someone from the DHCP lease client manually rather than setting the DHCP lease time to expire in less time like 4 hours or 2 hours. I was able to do this on other routers by highlighting the connected device and click remove. If not any recommendations on how to handle the device that are attached via DHCP and the person is no longer here, but the lease time is not up. I have set DHCP lease time to 4 hours.
View 1 Replies View RelatedIs it possible to re-route our Site 2 Site VPN over our Static Route (T1) if the WAN fails?
View 1 Replies View RelatedI am unable to isolate DMZ and LAN traffic with an SA520 running 2.1.7.1 firmware. I have the optional port configured as DMZ and DHCP server enabled. I tired leaving the firewall as default. Also tried creating firewall rules to deny traffic from LAN to DMZ and DMZ to LAN for any address and any service.I am still able to ping devices both from LAN to DMZ and DMZ to LAN. I am also able to see network resources in both directions.
View 5 Replies View RelatedI have several sa520 appliances, and one of them came with the 2.1.72 firmware and it works perfect... with all others I upgrade to 2.1.71 (because I was not able to find 2.1.72) that is the latest posted in the CISCO download area.So, is there any way to get 2.1.72 ?With the 2.1.71 the VPN Site 2 Site works fine some time, but later it disconnect and it does not connect until I disable /enable the VPN.
View 2 Replies View RelatedI am facing strange behavior in Windows 7 and Windows Vista.I have a client program in my PC and server program outside network.I can see that some time TCP WINDOWS SCALING working and some time not.In first Log after 3 way handshakes established I can see data transfer happening bocs from log I can see it is settings SCALING factor.
But for some cases where I see that connection happened but data transfer not happening (May be my network does not work without Scaling..) I can see my WINSOWS TCP stack has not set SCALING in SYN request.Hence in 2 nd log I can see "Scale factor not supported"...though I enabled SCALING in my WINDOW .
You can see in 2nd log :: [ Win=8192 ( ) = 8192 ] - not settings scaling factor some time.How to fix this issue so that Windows 7 / Vista always set SCALING in SYN request.
My TCP Settings :::
Receive-Side Scaling State : enabled
Chimney Offload State : automatic
NetDMA State : enabled[code].....
I currently have a working metro ethernet connection between our main office and a branch office. I am tasked with building a redundant route for this site, in case the metro-E line goes down. We are purchasing two cable internet lines at each sight and I plan on buying two Cisco routers to do the VPN tunnel via the new cable Internet connection. The metro ethernet connection currently has two HP 3500s on each atm.2 questions:
-How will OSPF and VRRP factor-in to such a setup?
-What Cisco routers are recommended that can utilize this protocol?
The HP 3500s can do either OSPF or VRRP.I have been purchasing and setting up refurbed Cisco 1811 routers for other VPN tunnels and they work great.
How do you convert a pix501 configuration to use on a sa520? I do not know how to use a GUI, I am a cli guy. Can a pix501 config be used on a sa520?
View 1 Replies View RelatedI am using the cisco vpn client to connect to the sa520 router. When I am connected I have split tunneling working so I can surf the internet and I can also access the server on the remote network by ip and full dns name I can not do it by netbios. and I have been trying to get or domain suffix on the vpn client but nothing I have tried is working?
1. the remote network domain as the connection specific dns suffix or
2. how to get netbios to go over the vpn connection
Does the Cisco SB RVS4000 router support 802.1x authentication for the WAN port?
View 2 Replies View RelatedI am trying to setup a RV042 for a Client VPN using AD / Radius authentication. When it was purchased I saw radiuslisted as a feature on it, but I'm not seeing a way to set this up.
[URL]
I have upgraded to the latest firrmware, I have a VPN working with accounts on the router that I manually create, but am not seeing anyplace to configure radius.
We configured sa520 load balance with 2 isp 2mb+2mb how to check the status of the load balance on sa 520 .
View 1 Replies View RelatedIs it possible to configure a Site to Site VPN from a SA520 with Dynamic IP (DSL) to a Cisco ASA5510 with static IP? I need to make sure about because i am trying to sell this solution to a customer with two branch offices with DSL connection and a Main Office with Metroethernet.
I know that using a a pre-share-key on the defaultl2lgroup of the ASA, the ASA will accept any site to site VPN. I have tried this with the ASA 5505 instead of the SA500 for the branch office, but the ASA5505 is too expensive for my customer.
I just bought an SA520 to replace my existing FW.
The thing is that I have private IP adresses on my LAN, and I have been issued a public IP network for my DMZ by my ISP.
Meaning I want to NAT my LAN but not my DMZ, but I can't seem to find a way in the 520 to do that. I can only find the oprion to turn off NAT all together.
I have a Cisco Small bussiness RV120w and I setup the radius server , WPA2 Enterprise with a windows 2008 NPS radius server . The big problem is that the authentication fails .This is the error that I see in event viewer / server roles / Network policy and access services: reason-code 49 "The connection attempt did not match any connection request policy".The radius key is matching between the server and the client . The radius server is reachable and I don't find any routing issues .Does anybody tested this router with this type of wireless security?
View 3 Replies View RelatedI have an SA520 that is being used as a front end firewall. Behind it I have an IP PBX. The VOIP provides are registered and I can make outgoing calls. However It appears that the SA520 is either blocking or not routing the calls. I have opened the ports recommended by both the IP PBX and the VOIP provider. What do I need to do to make incoming calls through the SA520?
View 1 Replies View RelatedI want to use Cisco VPN Client to VPN to my SA520 to manage a UC320W. I can establish a VPN connection to the SA and ping both the SA and a switch that I have on the network, but I cannot ping my UC. I've set up firewall rules to allow ANY-ANY access from LAN-WAN, and a WAN-LAN rule to allow a certain range of IP addresses (the IP addresses assigned from the VPN DHCP pool, in this case, 192.168.12.x) access to the UC.
My SA IP address is 192.168.75.1 and my UC is 192.168.75.2 (I can ping both when I am directly connected to a LAN port on either equipment).
