Cisco Security :: How To Renew Self-Signed ACS 3.3 Cert Used For PEAP

Mar 29, 2006

We currently are using a self-signed cert (for PEAP machine authentication) that was created on an ACS 3.3 appliance.  That cert was manually installed on our laptops when they were configured for wireless conenctivity.My problem is, that self-signed cert will soon be expiring and I am not sure what needs to be done to issue a new cert AND deploy it to my Windows XP Pro clients without a service interruption.  If possible, I'd like to leverage our exsiting AD infrastructure for this, but I need some direction, and time is of the essence!!

View 2 Replies


ADVERTISEMENT

Cisco VPN :: Using A Publically Signed Cert On ASA 5505

May 1, 2013

I am wanting to use a cert signed by a digicert or verisign on my ASA so that anyconnect doesn't frreak out with the untrusted cert. I have created the CSR, and I uploaded the certificate, but it is still showing the old self signed untrusted cert.

View 5 Replies View Related

Cisco AAA/Identity/Nac :: 5508 ISE Integration With PEAP (Server Side Cert)

Oct 20, 2012

We are currently evaluating ISE and I am stuck with the PEAP authentication (with Server side Cert).Our current setup consists of two 5508 controllers, 30+ access point. For authentication we are using PEAP with (server side Cert). We have an IAS server which is also acting as a CA server. We are using Cisco’s NAM as a supplicant on Windows XP & 7 workstations. I would like to use ISE for authentication. I would like to use PEAP with Server side Cert (similar setup like IAS). I want ISE to perform the same function in addition to profiling etc.....
 
I was able to integrate ISE with Active Directory but could not get it working with PEAP (server side Cert). I would also like to know if they used Microsoft’s CA server or Open SSL CA server or a third party CA server (Go Daddy, VeriSign etc.)Can you we ISE as a CA server just the way we used Microsoft’s IAS Server as a CA Server?

View 8 Replies View Related

Cisco :: How To Export Cert From WLC 4402

Apr 1, 2013

I installed a chained SSL cert on our anchor/guest 4402 a few years ago.We now have a need to replace the 4402 w/ a 5508, and I got everything configured, ready to go, except that darn cert.I can no longer locate the private key that was used to sign the original CSR.Is there any way to export the current cert from the 4402, so that I can import to the 5508? Or am I SOL?

View 3 Replies View Related

Cisco :: Can LMS 4.0 Use CA Certificate Instead Of Self-signed

Apr 4, 2012

I've been reading over the documentation, but only see instructions for using a self-signed certificate for SSL.  Or even trusted certificates between LMSes.  But I can't seem to find anything on LMS 4.0 using a Certificate Authority.  And I have a security requirement to do so.
 
Is this possible in LMS 4.0?

View 3 Replies View Related

Cisco VPN :: Cut-n-paste Cert Enrollment With MS 2003 CA?

Aug 14, 2005

When trying to do a cut-n-paste enrollment of a cisco 3725 router with a microsoft windows server 2003 CA i get the following error on the CA.Certificate Services denied request 8675 because The request subject name is invalid or too long. 0x80094001 (-2146877439).  The request was for OID.1.2.840.113549.1.9.2=rtr31slied3.unit4agresso.com.  Additional information: Error Constructing or Publishing Certificate This is when i use the router or webserver certificate.The only template that does work is the user certificate but then you get error messages that the router name doesnt match the cert name.The 3725 is running ios version 12.3(14)T3.How can we get the right templates to work ?

View 3 Replies View Related

Cisco VPN :: ASA 5510 / Wildcard Cert - Only Have CER File

Dec 5, 2011

how to install a wildcard certificate with only the .cer file.  I've found quite a few things here in the forums, but everyone seems to also have a pkcs12 file, which I do not. 
 
This is an ASA 5510 on ver 8.4. 

View 6 Replies View Related

Cisco Application Networking :: CSS 11503 And SAN Cert

Oct 14, 2012

I know that CSRs cannot be generated with multiple names, but if the SAN is added after the cert is ordered from Geo Trust, Veri sign, etc. can the CSS support using the cert?

View 1 Replies View Related

Cisco VPN :: 871 - Import A Self Signed Certificate

Sep 27, 2012

Can I import a self signed certificate from a Cisco 871 router to a Cisco ASA 5505? The 5505 replaced the 871 and I have a VPN that goes to another company that we have a connect to. The device on the other end is a VPN concentrator ( I do not have access to modify this device without going through multiple channels.) I only need to mimic this device for the site to site VPN tunnel only. It appears that there are no pre-shared keys only a self signed certificate.         

View 1 Replies View Related

Cisco :: Upload Signed Certification To LMS 4.2.2

Oct 14, 2012

I would like to upload the signed certification to LMS 4.2.2.After checking ( 4. option ) I choosed the 6. option  and press "y" for questions and the perl script is freezing.  

View 2 Replies View Related

Cisco VPN :: ASA 5545-X / Cert And AD Authentication Using AnyConnect 3.0.xxxx?

May 29, 2012

I have a need to utilize two factor authentication using a machine certificate and users AD crednetials.  What we would like to do is to have the ASA and AnyConnect verify the certificate exists, check against our in house CA for validity, if valid pass the user credentials to the AD servers and establish the tunnel. If not valid quarantine the session and pop a message to the user to contact the help desk ASAP.  My guess is the following (using ASDM 6.6, ASA 8.6.1, ASA 5545-X):
 
1. under the connection profile I have select BOTH for authentication and added a AAA server group.

2. under Cert Management I have added the 3 certs that are present on all company mobile assets

     - Cert America
     - Cert Europe
     - Cert Root

3. I have an identity cert installed from the company CA and it is selected as the device cert under connection profiles

4.Local Cert Authority is Disabled

5.Under Remote Access>Advanced>Certs for AnyConnect>

- I have mapped DefaultCertifiateMap pri 10 to Company_Cert connection profile

- The mapping is looking for Subject: CN: <Contains> (string) ----where string is a common component of each Cert listed in #2.
 
Question #1 - Is this correct for utilizing certs and AD auth or have a missed any steps?
 
Users are directed to a an initial installation URL - where the AnyConnect client performs the installation and passes down the intial AC profile which auths using only AD creds.  On subsequent connections users who pass the certificate mapping check are migrated to the connection profile which uses the dual authentication method. 
 
Question #2 - When I attempt a new installation of AnyConnect using the two factor URL . I receive an error "certificate validation error" and the installation fails - for the life of me I can not figure out why????  The machine has all three certs, using IE9 as the browser.

View 3 Replies View Related

Cisco Firewall :: Installing A Wildcard Cert On ASA 5500

Apr 15, 2013

I am basically looking to install the wildcard on the outside interface for my ASA

View 1 Replies View Related

Cisco :: 5508 Web-Auth Cert Crashing When Loaded

Sep 24, 2012

I have a cisco 5508 WLC that I have setup WebAuth on and trying to install the certificate on.  I have generated the csr and gotten my cert from Verisign (X.509, server platform=apache).  I have followed the instruction via the cisco documentation url...I found an error in uploading and find out how to encrypt mykey: url...

I am also having exactly the same issue with a certificate from Thawte.  I followed the unchained guide and have tried both with and without a password in the initial step key generation step, requesting a new cert each time. As with Jeensernchew's issue there are no errors in OpenSSL but when uploading the cert to the WLC get the following error. [code] The WLC is running version 6.0.196.0.  I am using OpenSSL 1.0.0 29 Mar 2010.
 
When I requested the cert from Thawte I was asked to specify the device type, I chose Cisco, but as all the work and conversion is being done by OpenSSL, should I have chosen differently? When I do this I can load the cert in the 5508, but the controller fails and doesn't allow that VLAN or config access to the wireless network.  I am at a loss of why I can load and it not work.  I have verified my hostname and password and those are good.

View 1 Replies View Related

Cisco VPN :: Anyconnect 3.1 Untrusted Server Cert With Wildcard

Jan 21, 2013

I've seen a bunch of discussions on the untrusted server cert error with self signed certs.  But I have a valid wildcard that I use on my ASA.  How do I make that work with out the untrusted server cert error?

View 5 Replies View Related

Cisco Wireless :: Installation Of PFX Cert On AIR-WLC2125-K9 Controller?

Mar 7, 2012

I have a client that needs to update a certificate on their 2125 controller. They have created a .pfx cert that does not work because of file type. I wanted to see what the best pratice would be for me to follow installing this cert and do I need any additional cert like a CA. I found a document but am not so sure that it is exactly what I need.

AIR-WLC2125-K9 : JMX1248K0EL
System Information
Manufacturer's  Name.............................. Cisco Systems Inc.
Product  Name..................................... Cisco Controller
Product  Version.................................. 6.0.188.0
RTOS  Version..................................... 6.0.188.0

[code]....

View 2 Replies View Related

Cisco :: Reloading Renewed 3rd Party Cert On WLC 5508?

Apr 22, 2012

So since my web auth cert is expiring I got it renewed from VeriSign and they sent me back the file.  Do I need to again combine the "myprivatekey.pem" file and the new one that I got and then load it on the WLC?  Can't find any guidelines and instructions from Cisco on this.  Or do I need to go through the whole regenration of CSR process again etc? 

View 3 Replies View Related

Cisco :: ACS 5.3 / Self Signed / Certificate Base Authentication

Oct 17, 2012

Our ACS (5.3) has self signed certificate, we have exported it and declared it in Certificate Authorities.We have exported it to have a Trusted Certificate for client machine.
 
This certificat has been installed on a laptop.The wlc is successfully setup for eap (peap & eap-fast has been tested > ok)I have this error in the log:
 
12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in  the client certificates chain.I think the Access Policies (identity & authorization) are misconfigured: [code]

View 1 Replies View Related

Cisco Application :: CSS-11500 - Use SSL Cert In Proxy List For Same VIP But On Different Port?

Aug 16, 2012

Am I able to use an SSL cert in the proxy list for the same VIP but on a different port?  

View 1 Replies View Related

Cisco Firewall :: Installing Signed Certificates Into ASA 5510

Apr 18, 2012

I am running Cisco Adaptive Security Appliance Software Version 8.3(2) Device Manager Version 6.4(1).  This will be used as a VPN gateway.  I am having troubles installing our cert.  I can install the cert, but it never connects witht he correct key.  It references trustpoint0 when it is trustpoint1.  I deleted all trustpoints and it still happens.  That.vpngw4# sh run | begin rustcrypto ca trustpoint ASDM_TrustPoint0crl configurecrypto ca trustpoint ASDM_TrustPoint1keypair ASDM_TrustPoint0crl configurecrypto ca certificate chain ASDM_TrustPoint1certificate 0f8e62    308203d5.8c  quitI deleted both trust points and when I do a  sh run both are gone, but when I then import the cert (via ASDM) it creates trustpoint0 again.

View 3 Replies View Related

Cisco AAA/Identity/Nac :: 7925 ISE Cannot Run Multiple Signed CA In Store

Jun 4, 2013

Using Sha1 for Cisco 7925g and sha256 for data. Two separate CA's, one EnTrust (SHA1) the other Local Wondows CA (SHA256); ISE can only use one at a time to process a particular protocol (ie..EAP-TLS, HTTP, etc...) As a result we have to have a separate PSN just for Wireless and Wired VoIP (which can only hold SHA1 RSA1024).

View 5 Replies View Related

Cisco :: 5508 Unable To Upload Signed Certificate

Jul 1, 2012

I have two Cisco WLC 5508 controllers that I'm trying to set-up for our new corporate WLAN. I've gone through most of the configuration fine but have ran into an issue uploading a signed certificate to one of my controllers. I should point out that I have managed to upload the certificate successfully to one of the controllers, I just can't seem to upload it to the second.The issue is as follows:
 
- I've logged into the controller, gone to Security -> Web Auth -> Certificate -> Download Certificate
- I've specified my tftp server details and selected apply
- the process begins and I can see through my tftp client that the controller is attempting to copy and install the certificate
- The controller tries to install the certificate but fails, reporting the same

View 9 Replies View Related

Cisco :: 2048 - Self-Signed Certificate And Init 6 Process

Feb 16, 2012

I have a doubt about CiscoWorks. I need to generate the self-signed certificate with a key of 2048 bits to generate a CA with VeriSign. CiscoWorks do this automatically with a key of 1024 bits and I do not find a form to elect a a diferent key. Is it possible to generate a certificate with 2048 bits key?

Another problem is that I have CiscoWorks installed on Solaris. Many times at day the web application does not work and the only way to recuperate it is with the command "init 6" and I have to way 15 minutes until I can have access again. Why is produced this error? Who can I fit it?

View 1 Replies View Related

AAA/Identity/Nac :: ACS V5.2 New Self Signed Certificate Not Showing In Browser

Nov 11, 2012

I have just renewed the self signed certificate on a v5.2 ACS and expiry date of 2013 is showing in the ACS GUI. However, when I start an ACS Admin session and view the certificate information in the browser it is showing the old expiry date of 2010. I have tried this in IE and Firefox and the certificate information is the same.
 
Is there a way I can get the browser to pick the new certificate ?

View 1 Replies View Related

Cisco Routers :: RV120W - Create New Unique Self-signed Certificate?

May 9, 2012

how to create new unique self-signed certificate on RV120W? I can create request for singning by external CA, but I cannot create new unique self-signed certificate itself.

View 2 Replies View Related

Cisco Wireless :: RV180W - Generate Proper Self Signed Certificate?

Dec 19, 2012

Right now the Self-signed Certificate on my RV180W generates errors as it was issued to the MAC address instead of the current IP address. Need instructions on Generating a Self-Signed certificate (or 1 from my Windows Server 2012 Certification Authority) that will eliminate the constant barreage of certificate errors I get when trying to access the management interface of my device?  the internal domain is mythos.local, netbios name of MYTHOS, and the device name in question is surtur.

View 2 Replies View Related

Cisco Routers :: Self-signed Certificate With RV220W And QuickVPN Client?

Nov 21, 2011

The establishment of IPSEC tunnel between the RV220 and QuickVPN client works properly with the security certificate of origin of the router.RV220 V1.0.3.5QuickVPN V1.4.2.1
 
Since the establishment of a security certificate self-signed, the RV220 and QuickVPN client refuses to work together .

Here are the log of the QuickVPN client

2011/09/27 12:45:14 [STATUS]OS Version: Windows 7
2011/09/27 12:45:14 [STATUS]Windows Firewall Domain Profile Settings: ON
2011/09/27 12:45:14 [STATUS]Windows Firewall Private Profile Settings: ON
2011/09/27 12:45:14 [STATUS]Windows Firewall Private Profile Settings: ON

[code].....

View 4 Replies View Related

Cisco AAA/Identity/Nac :: ACS5 / One User / Two Credentials (external Token Versus Cert)

Nov 30, 2011

I have ACS4 and i am planning to upgrade to ACS5.I would like to have such a rules:I have user1, one ASA device which is VPN concentrator for remote users.ASA have two different tunnel-groups: one which allow for logging via certificate (with mandatory pki authorization thru ACS) with disabled Xauth,and second tunnel-group with allow login thru typical Xauth with authorization thru ACS which users external database (RSA Tokens).So i have one user1 which can login thru VPN using RSA tokencode or certificate.For example: on phone user1 uses certificate, and on PC station the same user1 uses token password.For tunnel-group with pki authorization ASA checks username in ACS and in typical scenario login="CN from certificate" and password="CN from certificate". So we would need "two credentials" for the user - one for pki authorization, and second one external database (RSA token).Is such scenatio possible under ACS 5 ? where one user uses different credentials based on tunnel-group usage ?

View 2 Replies View Related

Linksys Wireless Adapters :: WMP300N V2 Drivers Not Digitally Signed

Apr 27, 2012

Yesterday I contacted live support with the problem that my network driver is crashing and giving me BSODs because of this when my download speed reaches above 5.5MBps.[url]...When I try to install those drivers, I first get a warning that the drivers aren't signed. I press "Continue" to dismiss the message but still at the end it fails to install and gives me the message "The drivers can not be loaded because they are not digitally signed", leaving you with a useless device.I bypassed the check windows is doing by turning off the check by running Windows in "Test Mode". I have test-signed the drivers myself that allowed me to install them. Now my device is working and not giving me BSODs anymore.
 
What I want is the drivers to be digitally signed by linksys/cisco. I think it's very unprofessional to distribute unsigned/useless drivers to customers. I am lucky that I am somewhat more experienced with this stuff, but what about people that are not? I think everybody should be able to install the latest drivers without any problems, without the need to hack into windows.I hope to see new drivers soon, or the same drivers but then digitally signed so I can turn off "Test Mode" again removing this ugly watermark in the bottom right corner.

View 9 Replies View Related

D-Link DIR-615 :: Losing Connection With It For Moment Then Automatically Signed Back On

Jun 6, 2011

he will lose connection with his chat programs for like 2 minutes then automatically be signed back on. He says he notices no other connection loss, but notices that sometimes his streaming will lag or games will lag. His ISP is Armstong (?) and he's wired to the router. XP OS.

View 3 Replies View Related

Cisco Firewall :: ASA5520 HTTPS SSL Certificate Signed Using Weak Hashing Algorithm

Oct 18, 2011

I am support one client for,  whom falls under Security  scans mandatory for new implementation of ASA 5520 device.  The client uses Nessus Scan and  the test results are attached.The Nessus scanner hit on 1 Medium vulnerabilities.

View 2 Replies View Related

Cisco Wireless :: PEAP 802.1x ACS 5 Timed Out?

Apr 12, 2012

I see many errors in the ACS 5.1(or 5.3) :5411 EAP session timed out..Becasue I checked the "remember my username and password everytime login" in the wireless network properties, and I can succeed to login finally. but in the ACS will see many errors like ”5411 EAP session timed out“
 
(Cisco Controller) >debug client 58:1f:aa:8f:ea:44 
Fri Apr 13 16:09:36 2012: 58:1f:aa:8f:ea:44 Sending EAP-Request/Identity to mobile 58:1f:aa:8f:ea:44 (EAP Id 1)
Fri Apr 13 16:09:36 2012: 58:1f:aa:8f:ea:44 Received EAPOL EAPPKT from mobile 58:1f:aa:8f:ea:44
Fri Apr 13 16:09:36 2012: 58:1f:aa:8f:ea:44 Received Identity Response (count=1) from mobile 58:1f:aa:8f:ea:44
Fri Apr 13 16:09:36 2012: 58:1f:aa:8f:ea:44 EAP State update from Connecting to Authenticating for mobile 58:1f:aa:8f:ea:44
Fri Apr 13 16:09:36 2012: 58:1f:aa:8f:ea:44 dot1x - moving mobile 58:1f:aa:8f:ea:44 into Authenticating state

[code]....

View 2 Replies View Related

Cisco :: WLC 4402 Not Implementing PEAP?

Jul 24, 2011

I was able to successfully implement MS-PEAP authentication with 5508 WLAN controllers and Cisco ACS v4.2. However, when I integrated 4402 WLC with version code 7.0.116, it did not pass across any authentication requests. Did a debug aaa events enable and there was no output. Configured another SSSID with PSK to test that my controller was OK and aaa debug was working, and there were CLI messages when I associated an AP.
 
why the 4402 is not working as I have compared configs with the 5508 and there is no difference. The shared secret is configured on both ACS and Controller and CA is downloaded on the ACS.

View 5 Replies View Related

Cisco :: 802.1x PEAP Certificate Options?

Nov 12, 2012

I was pondering on getting a certificate fro ma public CA to maintain easier configuration for end users. There will be a multitude of devices on this wireless network configured with 802.1x PEAP. (iPhones, iPADs, Droids, and PC's of course).
 
If you were to get a certificate from a public CA, I'm assuming this would be just a regular server certificate from GoDaddy, or Verisgn?  

View 2 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved