Cisco Switches :: ESW-540-24p - Switch Refuses EAP Certificate Authentication
Jan 26, 2012
The problem is that with any EAP method of authentication that utilizes authentication with a certificate or smart card the switch will somehow impede authentication with the radius server. The EAP Methods I have tried on a SG-300-28P and ESW-540-24p switch are:EAP-TLS, EAP-FAST, PEAP Smart Card, I know that the radius server works because when I switch to a different switch the client works just fine, or if I keep the client on this switch and use any password method (PEAP (MSCHAPv2), MSCHAPv2, EAP-MD5) it also works. In both cases the radius server logged a EAP Timeout. Again this only happens when any EAP method or version of authentication used deals with certificate authentication.Only with the 3 Cisco small business switches we have, have I ran into this problem. The Cisco Aironet and Other Switches (by other manufacturers) work just fine.
View 2 Replies
ADVERTISEMENT
Aug 1, 2012
I'm changing SSL VPN from aaa authentication to both aaa and certs, Server 08 CA, 8.2 ASA 5510, ssl client 2.5.1025 and Windows 7 users. My question is what should be the template of the id cert that I receive from CA. ,
View 16 Replies
View Related
Jan 18, 2012
we are using Cisco Aironet 1130 AG and a Cisco 4402 WLC in our network. The certificate service is installed on a Windows 2008 R2 server. We use a standalone Root CA with a Enterprise Sub CA hierarchy. Issueing certificates to clients works fine. The vendor and ca certificates are installed on the WLC and the user have his user certificate. During implementation we used following document: url... Instead of Anonymous Bind, we use a service user to read in AD (works fine, too).
We use the Intel/PRO wireless utility on our Testclient and configured it for EAP-FAST and TLS. We can select the installed certificate in the utility, but when we try to connect, the utility throw the message: "Authentication failed due to an invalid certificate".We´ve logged the WLC and thats a part of the logfile (i´ve greyed out all enterprise data): [code]
View 3 Replies
View Related
Dec 20, 2012
I am doing a proof of concept with anyconnect and certificate authentication. with 3.0 i was able to do this with a certificate from my CA and a client cert in a smartcard. I have upgraded to 3.1 and now it doesnt work anymore ( i need 3.1 and Asa 9.0 because of IPv6 Split-tunneling).Reading the forum i got some info that the ASA cert must have a EKU value of 'Server Authentication' and the client cert must have a similar EKU (client Auth)
View 4 Replies
View Related
Jul 8, 2010
The IPAD VPN works great over token, radius and local authentication. But now we need to authenticate vpn client via digital certificate (only vpn authentication between client and gateway)? I'm not sure which certificate we should buy to authenticate vpn client.The plan is to install digital certifiacte on VPN Gateway (CISCO ASA 8.0.4) and IPAD Cisco IPSec client to eliminate user/pass authentication.
View 9 Replies
View Related
Sep 25, 2012
I have configured SSLVPN on a asa5520 with aaa and certificate authentication.Both authentication works fine,but I find the client users can use any others' certificate to authentication,I want to binding the aaa account to user's certificate.everyone must use their own certificate.
View 1 Replies
View Related
Oct 24, 2011
I am using a cisco asa5520 and i have set up remote access vpn with an AnyConnect connection profile.In the connection profile i have set up that users should authenticate using both certificate and AAA.Due to a high security requirement, the user certificate is issued from a 3rd party. This is working fine and the user now need a valid certificate and a username/password to authenticate successfully.I added the CA certificate as a associated trustpoint on the ASA box to get the certificate verification working.Problem:If Jane and Joe both have a valid certificate AND a valid username/password, Jane could authenticate using a combo of Joes certificate, and Janes username/password. Both are valid (isolated), but i only want jane to be able to authenticate with her username/password and her personal certificate.
View 1 Replies
View Related
Jul 11, 2011
Looking for the steps to configure wired clients using certificate authentication only
- i.e., once a certificate is presented to the ACS that is issued by a trusted CA, the connection is permitted.
No need to tell me about switch configuration.
View 3 Replies
View Related
Oct 16, 2011
I am using wireless system with certificate athentication ( CA Server ) and RADIUS server.
I want to know if certificate is not installed and configured in wireless client laptop.
Do client get athenticate in wireless system and get access of wireless network ?
Also want to know any configuration required in WLC CISCO 4402 for authentication with CA server of client laptop.
View 2 Replies
View Related
Oct 17, 2012
Our ACS (5.3) has self signed certificate, we have exported it and declared it in Certificate Authorities.We have exported it to have a Trusted Certificate for client machine.
This certificat has been installed on a laptop.The wlc is successfully setup for eap (peap & eap-fast has been tested > ok)I have this error in the log:
12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain.I think the Access Policies (identity & authorization) are misconfigured: [code]
View 1 Replies
View Related
May 23, 2011
Is there a way to authenticate a windows computer in ACS 5.2 for 802.1x only with a certificate.The Computer is from a different active directory than the one that is configured in ACS.I tried importing the cert into "external indentity Stores" > "certificate authorities", then setup the computer to use smart card or certificate, then selected the certificate from the other AD.when i look at the ACS log, here is the message i can see: 22044 Identity policy result is configured for certificate based authentication methods but received password based
View 1 Replies
View Related
May 16, 2011
I am enabling our wireless controllers to use 802.1x authentication for our wireless clients. Both computer and user are provided with certificate from CA server.I have 9 APs and 2 controllers installed in my infrastucture, one of the controllers is working fine with setting specified above but the other one is not.Both has same configuration and both seems identical with same model and IOS.
View 3 Replies
View Related
Jan 9, 2012
We use a combination of Cisco ACS and Cisco catalyst 3560 switches for network authentication and authorization. Clients (Windows XP) have a certificate installed which will grand access to the network and put them in the correct VLAN. So far, so good. Some users are testing with Windows 7 in the same set-up as above and run into strange behaviour. The problem is that after a random timer the machine gets de-authenticated and nothing besides a reboot works to get the computer authenticated again (from a Windows point of view). It looks like this only happens to users who are using a certificate to authenticate, Windows 7 MAC bypass users have no such problems. If it occurs, the following logging appears in ACS: [code] We are using ACS 4.2(0) Build 124 and 3560-48PS switches with IOS 12.2(55).
View 4 Replies
View Related
Jan 22, 2012
I want to connect with AnyConnect Secure Mobility Client 3.0.2052 to ASA 5540 Version 8.4 and SSL Premium License.The clients using Maschine Certificate to authenticate to ASA. This works fine.Now I want to setup a DAP to verifiy the client against the Microsoft AD using LDAP. I configured LDAP server in ASA see:aaa-server LDAP protocol ldap aaa-server LDAP (inside) host ldap.com ldap-base-dn DC=x,DC=x,DC=x,DC=com ldap-scope subtree ldap-login-password ***** ldap-login-dn ***** server-type microsoft ,I can see that it works if I test the server via the testbotton in ASDM and I see it in CLI "debug ldap 255" also. But if I configure in DAP: AAA Attribute ID:memberOf = DomainMember I can not see any request to the LDAP server during I try to connect with the Client und the DAP doesn't match.
View 2 Replies
View Related
Apr 10, 2012
Currently the ACS 5 is authenticate the iPhone/iPad by using the MAC address (which is entered manually) and AD user/password, i need to do that with certificate, so it will be scalable.
View 2 Replies
View Related
Jan 25, 2012
I'm trying to set up vpn with ASA 8.2(5) and Anyconnect 3.0.4235. The goal is to force user to connect from registered machines only (winXP & win7 x32 and x64). To do this, I used machine certificates issued by own CA. Certificate is installed in machine store. I use double authentication (aaa & certificates). Everything works fine, AnyConnect browses cert store, ASA validating machine certificate, then user is prompted for username/password and finally if all is correct - connection is established.My problem is, that for new installation (new host), AnyConnect fails at first connection attempt. If I use aaa authentication only, connection is established, but if I use aaa & certificates - connection fails. The appropriate .xml profile is predeployed at client host asa well as machine and root certificates.Important: When first try (aaa auth) succeded, others are always OK (with aaa. certificate or aaa & certificate authentication). Only the first one fails.The goal is to succesfuly establish connection with aaa & cert.
With DART i get:
******************************************
Type : Error
Source : acvpnagent
Description : Function: CTransportWinHttp::WinHttpCallback
File: .CTransportWinHttp.cpp
Line: 2150
[code]....
Certificate is valid for sure, and as I mentioned before, if first use aaa only, the second try is OK. At ASA with debug crypto ca 255 can't see any certificate from client.
View 3 Replies
View Related
Dec 19, 2012
When I get the web authentication dialog from 1.1.1.1 it starts of with a certificate error. Is there a way to prevent this certificate error while using the self signed certificate? I have not been successful installing certificates on my WLC - problems with OpenSSL and others. Want to get this deployed but don't want users to have to encouter that error.
View 1 Replies
View Related
Jul 7, 2011
Any instructions to configure an ASA to allow authentication by certificate only on an AnyConnect vpn?I'm running an ASA 5505 with 8.4(1) and AnyConnect 2.4.7030 on an Android phone.I currently have the AnyConnect client connecting ok using username / password for authentication.
I have loaded the company root certificate (internally generated) into the ASA "CA Certificates" and generated an Identity Certificate for the ASA.
View 1 Replies
View Related
Jul 13, 2011
want to connect with AnyConnect Secure Mobility Client 3.0.2052 to ASA 5540 Version 8.4 and SSL Premium License.The clients using Maschine Certificate to authenticate to ASA. This works fine.
Now I want to setup a DAP to verifiy the client against the Microsoft AD using LDAP. I configured LDAP server in ASA see: [code]I can see that it works if I test the server via the testbotton in ASDM and I see it in CLI "debug ldap 255" also. But if I configure in DAP: AAA Attribute ID:memberOf = Domain Member I can not see any request to the LDAP server during I try to connect with the Client und the DAP doesn't match.
View 3 Replies
View Related
Oct 25, 2011
I have an issue when I´m trying to authenticate my iphone&blackberry device with ASA 5520 using certificates. It seems that certificates are working fine, pass the ike phase 1 but never complete the phase 2. When i use pres hared keys everything works fine with both devices.
If you consider necessary, i can provide my current configuration in asa.
View 2 Replies
View Related
Jan 8, 2013
I have cisco 2504 WLAN controller with 7.4 IOS. My query is can I configure the MAC authentication with certificate based. And without using any external servers like Radius, ACS and LDAP.
May I know, If there is a option on WLC…
View 4 Replies
View Related
Sep 3, 2012
I am planning to migrate from an old 4400 to a new 5508. I am happy with migrating the access points but I need to know if I can migrate the web authentication certificate used for guests.The new WLC will have the same virtual interface and DNS name to match the CN on the current certificate. Will this work or will I need a new certificate?
View 2 Replies
View Related
Feb 8, 2011
how to chance the web authentication certificte on WLAN 2100 controller. My users are complaining that they need to accept the security certificate before proceeding to the actual authentication?
View 4 Replies
View Related
Sep 11, 2011
I need some clarification with configuring my ASA 5540 with IOS 8.3x for remote client certificate authentication.
I have my root certificate from the Microsoft CA but not quite sure if the outlined steps in the Cisco websites below are exactly what I need since the firewall seems to be generating the certificate to be used. [URL].
My setup is such that the CA will issue certificates to the remote clients and to the ASA firewall, and the remote clients will authenticate and connect with their certificates which the firewall constantly updates using the CRL update from the CA. The dhcp pool is to be issued by the domain controller on the inside network and not on the firewall. Any examples or best practice steps to achieve this.
View 8 Replies
View Related
Feb 7, 2013
How can I set the SSL certificate for the management interface of an SG300? I don't seem to find the configuration option in the web gui?
View 5 Replies
View Related
Feb 29, 2012
I am trying to import a SSL certificate into this device - Cisco SPS2024 (FW: 1.0.6 ( date 30-Aug-2011 time 15:45:47 )) but without sucess. I have allready did this task on another models through CLI (Cisco SRW224G4 - through the lcli) or on Cisco SG300. I can create certificate request with:
switch(config)#crypto certificate 1 generate key-generate
switch#crypto certificate 1 request cn "sw.localdomain" or "..." ou "..." loc "..." st "..." cu "..."
and that last command gives me plaintext certification request that I will sign with my certification authority. to this time, everything is clear and perfect.
And now, I have signed certificate according generated certificate request and I want to import it. And now I am in stuck, because I have not found any useful command to do this action. For import certificate, I have found only following command:
switch# crypto certificate 1 import pkcs12 WORD
also I dont exactly understand this command because there is no parameter to specify any url from which will be fetched pkcs12 certificate... just WORD parameter as the pkcs12 passphrase. nothing like as on another switch models on which there is following command:
switch2(config)# crypto certificate 1 import <CR>
after executing the command line will waiting for pasting the signed certificate to console. And on SPS2024 there is no any similar command to doing this. So in final, I cannot import certificate signed by my certificate authority, I can just generate self signed certificate directly on device and use only this one
View 2 Replies
View Related
Jan 30, 2012
There is ASA with remote access VPN and users are authenticated using third party signed certificates (CA is not local in ASA).When user certificate expires i can see it in syslog messages. For example:
%ASA-3-717009: Certificate validation failed. Certificate date is out-of-range, serial number: (...)
I would like to know if there is an opportunity to view user's certificate expiry date beforehand, say, 3 days before?
View 3 Replies
View Related
Oct 19, 2012
i am working on ISE 1.1.1, surprisingly i couldn't found certificate authority certifiate at certificate operation anymore.
would it be the change on GUI? So now where i can import the CA certificate to ISE?
View 5 Replies
View Related
Sep 13, 2012
I have problem with ESW 520, on 802.1x authentication. The problem is when host authenticates successfully it works about couple of minutes, after it truest too authenticate again but it lags. On network interface it shows notification that if Failed authentication. On ACS I see only one authentication attempt which is successful. This problem is happening on Win7 and Win XP. If I unplug and plug cable it authenticates successfully, but then about couple of minutes it again lags. Switch sees port as authenticated. On Win7 event viewer I have following error:
Reason: 0x70004
Reason Text: The network stopped answering authentication requests
Error Code: 0x0
If I connect same hosts on Catalyst 2960 switch, they work successfully.
View 2 Replies
View Related
May 11, 2011
I have an issue with the sf-300 switch model, which i am depolying in lapsafe trolleys. The approach is to wake the laptops from the guest VLAN (20) with WOL have them authenticate with 802.1x and use DVA to put the ports in VLAN14 so updates can be pushed to them over night.
I have configured 802.1x, guest vlan and DVA which works initially, all host wake from WOL, the laptops successfully authenticate and are assigned to the VLAN (14). This remains stable for a time then the hosts fail reauthentication. I have also noticed that when a host is disconnected from a port and patched into another port the initial port remains in the authenticated state and the new port authenticates the client but the hostnames are missing on the 'authenticated hosts' page of the GUI, DVA fails. The ports display a port-failure message for a time then moves to failed reauthentication.
The only way I can get it to work again is to reboot the box. From the logs I can see the macs of laptops being rejected and I can also see attribute 26 being ignored. See log below. I am unsure as to why host are initially authenticated but reauthentication fails, is it not the same process?.
I have 11 of these switches and have configured 6 which all display the same behaviour. These switches are not CISCO I do not understand why they have badged them. The protocols/standards are implemented differently. If you incuded 'general ports' as an answer in a CISCO exam you would fail. There are also other issues I have noticed with these boxes, I am not impressed!.
View 3 Replies
View Related
Jan 18, 2010
I have 3750 switch (WS-C3750G-24TS-S1U) with IP Services version
Switch Ports Model SW Version SW Image------ ----- ----- ---------- ----------* 1 28 WS-C3750G-24TS-1U 12.2(46)SE C3750-IPSERVICESK9-M
on the switch, I have configured aaa new-modelaaa authentication dot1x default group radius dot1x system-auth-control but i am not able to implement the command under interface
Switch(config)#int gigabitEthernet 1/0/20Switch(config-if)#do?down-when-looped
dot1x commands are not available under the interface config. Is the IOS version is compatible with dot1x?
View 5 Replies
View Related
Nov 26, 2011
I want to secure my routers & switches using ACS server (win server 2003 platform)i prefer Radius how to set it up lets say my ACS server ip addy 192.168.100.100 & key cisco both how to set up ACS for the router/switch & commands for router/switch ALSO, i wanna keep open a back door. if some ACS server is down, i want, ppl can log into router/switch using SSH (local user/pass) but only when ACS is down?
View 4 Replies
View Related
Aug 21, 2012
Currently using Cisco ISE 1.1 to authentication both dot1x and mab from Cisco switches. Both features are authenticating properly.When we use a Nortel/Avaya switch for the authenticator, we are unable to authenticate using mac bypass (non-eap (or neap) in Avaya talk..). The correct authentication policy is found in the ISE, but the mac address is not found in the database. We know it is there because the same mac is authenticating with the Cisco switch. Dot1x authenticates properly from both the Cisco and Avaya authenticators. Could this be an issues with the username/password format in the Radius packet from the Cisco?
View 5 Replies
View Related
