Cisco VPN :: 5505 Certificate Only Authentication Method With AnyConnect

Jul 7, 2011

Any instructions to configure an ASA to allow authentication by certificate only on an AnyConnect vpn?I'm running an ASA 5505 with 8.4(1) and AnyConnect 2.4.7030 on an Android phone.I currently have the AnyConnect client connecting ok using username / password for authentication.
 
I have loaded the company root certificate (internally generated) into the ASA "CA Certificates" and generated an Identity Certificate for the ASA.

View 1 Replies


ADVERTISEMENT

Cisco VPN :: 5520 AnyConnect Authentication With RADIUS Secure Method

Nov 6, 2012

I have been successfully able to setup Cisco AnyConnect VPN on ASA 5520 with 8.4 code.  I have set it to authenticate against the RADIUS Server (Microsoft Windows 2008 NPS server).  I have noticed one thing, on the server under "Constraints and Authentication Method".  I picked MS-CHAP-v2, but it is considered Less secure authentication methods.  I can click on Add and choose other Authentication methods like Smart Card or other Certificate, PEAP, EAP-MSCHAP v2.  I picked PEAP but then the VPN does not work.
 
So first of all does it really matter if I just leave it to MS-CHAP-v2?  Because from my understanding is that AnyConnect will authenticate to ASA and then ASA in the backend talks to the RADIUS server so from a security stand point this scenario shouldn't it be sufficient as no un encrypted or less secure information is available to the outside world? Secondly is there any documentation on using PEAP with Cisco AnyConnect?

View 4 Replies View Related

Cisco VPN :: Anyconnect 3.1 Certificate Authentication

Dec 20, 2012

I am doing a proof of concept with anyconnect and certificate authentication. with 3.0 i was able to do this with a certificate from my CA and a client cert in a smartcard. I have upgraded to 3.1 and now it doesnt work anymore ( i need 3.1 and Asa 9.0 because of IPv6 Split-tunneling).Reading the forum i got some info that the ASA cert must have a EKU value of 'Server Authentication' and the client cert must have a similar EKU (client Auth)

View 4 Replies View Related

Cisco VPN :: ASA 5540 AnyConnect Client Certificate Authentication

Jan 22, 2012

I want to connect with AnyConnect Secure Mobility Client 3.0.2052 to ASA 5540 Version 8.4 and SSL Premium License.The clients using Maschine Certificate to authenticate to ASA. This works fine.Now I want to setup a DAP to verifiy the client against the Microsoft AD using LDAP. I configured LDAP server in ASA see:aaa-server LDAP protocol ldap aaa-server LDAP (inside) host ldap.com ldap-base-dn DC=x,DC=x,DC=x,DC=com ldap-scope subtree ldap-login-password ***** ldap-login-dn ***** server-type microsoft ,I can see that it works if I test the server via the testbotton in ASDM and I see it in CLI "debug ldap 255" also. But if I configure in DAP: AAA Attribute ID:memberOf = DomainMember I can not see any request to the LDAP server during I try to connect with the Client und the DAP doesn't match.

View 2 Replies View Related

Cisco VPN :: ASA 8.2(5) / AnyConnect Fails At First Attempt (certificate Authentication)

Jan 25, 2012

I'm trying to set up vpn with ASA 8.2(5) and Anyconnect 3.0.4235. The goal is  to force user to connect from registered machines only (winXP & win7 x32 and  x64). To do this, I used machine certificates issued by own CA. Certificate  is installed in machine store. I use double authentication (aaa & certificates). Everything works fine, AnyConnect browses cert store, ASA  validating machine certificate, then user is prompted for username/password  and finally if all is correct - connection is established.My problem is, that for new installation (new host), AnyConnect fails at first connection attempt. If I use aaa authentication only, connection is established, but if I use aaa & certificates - connection fails. The  appropriate .xml profile is predeployed at client host asa well as machine and root certificates.Important: When first try (aaa auth) succeded, others are always OK (with aaa. certificate or aaa & certificate authentication). Only the first one fails.The goal is to succesfuly establish connection with aaa & cert.
 
With DART i get:
******************************************
Type        : Error
Source      : acvpnagent 
Description : Function: CTransportWinHttp::WinHttpCallback
File: .CTransportWinHttp.cpp
Line: 2150

[code]....
 
Certificate is valid for sure, and as I mentioned before, if first use aaa only, the second try is OK. At ASA with debug crypto ca 255 can't see any certificate from client.

View 3 Replies View Related

Cisco VPN :: 5540 ANyConnect Client Certificate Authentication

Jul 13, 2011

want to connect with AnyConnect Secure Mobility Client 3.0.2052 to ASA 5540 Version 8.4 and SSL Premium License.The clients using Maschine Certificate to authenticate to ASA. This works fine.
 
Now I want to setup a DAP to verifiy the client against the Microsoft AD using LDAP. I configured LDAP server in ASA see: [code]I can see that it works if I test the server via the testbotton in ASDM and I see it in CLI "debug ldap 255" also. But if I configure in DAP: AAA Attribute ID:memberOf = Domain Member I can not see any request to the LDAP server during I try to connect with the Client und the DAP doesn't match.

View 3 Replies View Related

Cisco :: Enable Password Fails In AAA Authentication Method List?

Jul 15, 2011

I've got a weird problem that I can't figure out. I've de-authorized the switch in the RADIUS server to force an ERROR status to test the backup entries in the AAA authentication method list. However, after I do that and try to log in (through ssh), it just prompts me for my username's password and not the enable password. Here's the debug output:

1d02h: RADIUS: Marking server xxx.xxx.xxx.xxx:1812,1813 dead
1d02h: RADIUS: Tried all servers.
1d02h: RADIUS: No valid server found. Trying any viable server
1d02h: RADIUS: Tried all servers.
1d02h: RADIUS: No response for id 10

[code]...

View 14 Replies View Related

Cisco VPN :: Asa 5510 AnyConnect And VPN Clients Using Same Certificate

Dec 2, 2011

Can anyconnect clients and cisco vpn ikev1-2 clients use the same certificate on an ASA 5510 ?

View 4 Replies View Related

Cisco VPN :: ASA 5580 - Anyconnect Certificate Failover

Apr 28, 2013

I have a strange issue with certificate based authentication anyconnect.  We have an ASA with two internet links, both have a CA authenticated Cert for anyconnect VPN’s.  We have an anyconnect client profile also, when we simulate a link failure on the ASA the anyconnect should automatically attempt a re-connect to the backup server list in its configuration (which is the other interface on the ASA 5580) which it does but we get a certificate trust error.

View 3 Replies View Related

Cisco VPN :: AnyConnect 2.5.2019 - SSL Certificate Mismatch

Sep 6, 2011

When i'm trying to connect using stand-alone Anyconnect (not through the web), I got the SSL error message "The certificate you are viewing does not match the name of the site you are trying to view" (attached).
 
The certificate I installed for the SSL connection on outside interface got Subject CN=testvpn.mydomain and Subject Alternative Name (SAN) --> DNS Name = testvpn.mydomain
 
It seems to me that instead of connecting to testvpn.mydomain, anyconnect try to connect to the its IP address. I did try to remove the IP address in Server List in the profile, but it still doesn't work.
 
If I'm using Clientless (through browser), I don't received this error which means the certificates installed correctly.
 
Is that a bug on anyconnect 2.5.2019 or is there other ways to force anyconnect to check name instead of the IP against the certficate?

View 4 Replies View Related

Cisco VPN :: ASA 5520 Anyconnect Certificate For PC / Laptop

Mar 26, 2012

We currently are using the anyconnect client using certificates for authentication (ASA 5520 v8.4).  It works pretty good but I can only get it to work on a profile basis on the clients laptops.  We are running windows 7 and if multiple users need VPN i have to install the certificate for each user.  I have changed the xml profile to read the certificate store to "all" and true for certificate store override.  I am installing the certificate in the trusted root certificate store.  Is there a way for the anyconnect to authenticate for all profiles (users) for the laptop?

View 0 Replies View Related

Cisco VPN :: 1841 / AnyConnect Invalid Certificate

Feb 7, 2013

I am having some problems with my AnyConnect configuration.I have configured AnyConnect (ssl vpn / webvpn) on my Cisco 1841 Router, and I can access it from a web browser and start the tunnel, then anyconnect starts up and then the problem come, because when AnyConnect is trying to connect it comes with an error saying "The certificate on the secure gateway is invalid".
 
I have read almost all of the threads in here about the problem also tried to make a new certificate, but nothing is working?
 
BTW: I am using self-signed certificate?

View 5 Replies View Related

Cisco VPN :: ASA 5520 / Adding Certificate For AnyConnect WebVPN?

May 28, 2012

I am setting up Clientless Anyconnect on ASA 5520.  I have a Verisign Cert but when I go to Certificate Management-->CA Certificates-->Add, I put everything in and click "install certificate" I get an error.  FYI I have the Primary Cert Authority Installed already?

View 1 Replies View Related

Cisco VPN :: ASA5510 / AnyConnect 3.1 Untrusted Certificate Error?

Oct 25, 2012

I just upgraded our AnyConnect package on our ASA5510 from 3.06xxx to 3.1. When I tried to log in to the website to automatically install the client, it showed me a big error saying the Certificate is untrusted and I have to explicitly accept it. After accepting it, I had to restart the installation.Is there a way to disable this strict certificate trust setting? We don't have a valid SSLVPN certificate yet, but this big error will confuse endusers.

View 8 Replies View Related

Cisco VPN :: ASA5520 Anyconnect Replacing Identity Certificate

Aug 19, 2012

we currently have a remote access asa setup using Anyconnect with self signed certificate, and several users in the certificate database as we are using radius and certificate for authentication.
 
I want to purchase and obtain a trusted CA signed certificate (such as Verisign) and replace the current self signed cert.
 
My question is will I have to reset the current CA server of the ASA and replace the certificate user database? ie start from scratch.                 

View 2 Replies View Related

Cisco VPN :: 5510 - Certificate Validation Failure With AnyConnect Only On MAC

Apr 2, 2012

I have an anyconnect account set up using version 3.0.5080 and connecting to an ASA 5510 base 8.2(2)17. We are using certificates for authentication. If I try and use the account on a windows machine it all works fine.
 
However on a mac running Lion if I try and connect via a web browser or already have the anyconnect client loaded and try to connect I always get “certificate Validation Failure”. I double checked the certificate was correct and am sure that is correct as it is the same certificate on the Windows and the mac. After searching online I have also tried editing the anyconnect profile to so it is set “certificate store override”, and put the certificates and key in the “user/.cisco/certificates” and  “/opt/.cisco/certificates” folders.
 
After further testing, if I change the anyconnect connection profile to “authentication aaa” I can connect fine. Then if I disconnect, change it back to “authentication certificate” I can connect fine the first time, but all the following subsequent efforts I make fail. If I repeat this process this happens each time, I can connect the first time but after that it fails with the same “certificate Validation Failure” error message. When it connects this first time I checked and confirmed that it is definitely using the certificate. I have also tried using both authentication methods (“authentication aaa certificate”) and had the same problem.
 
This leads me to believe that my configuration is correct and it is some bug in the anyconnect client or the ASA image. I have had a look through bugs and read somewhere that there was a bug on earlier versions of 8.4, but nothing about 8.2.

View 1 Replies View Related

Cisco VPN :: ASA 8.4.5 - AnyConnect Web Install Getting Certificate Validation Failure

Mar 21, 2013

I have an ASA (8.4.5) configured with a connection profile that does AAA and Certificate authentication. Once I have the anyconnect 3.1 on a win Xp system, it works perfectly. When I do a web install, it goes through the normal download, log-in, re-download then says "Certificate Authentication Failure" If I change the profile to AAA only, it installs fine. I even get the error if I launch from the web after I have the client on the PC. Why this is not working?

View 3 Replies View Related

Cisco VPN :: ASA 5510 Anyconnect Client And Local Authority Certificate

Sep 20, 2011

ASA 5510 configuration for Csco anyconnect vpn client. Currently ASA is configured for self-signed certificate acces thru anyconnect ssl vpn. So the cert is being generated with every connection (of my understanding, I haven't found any identity certificate on the current configuration, at least on ASDM). Now I need to use a certificate from our local windows CA that we have at the office. I.e. self-signed certs should be changed with another one issued by our local office authority.
 
1. Generated new rsa key pair on the ASA
2. Generated CSR from identity certificates
3. Applied CSR to the windows CA and generated the certificate
 
Now I need to understand what is going to happen after I install this certificate on the ASA's identity certificates and apply it to outside interface. Is there anything to be done on the users side to use new certificate? Do they need to download and install the root certificate from the same CA? Do i need to have the root certificate installed on the ASA or identity is enough?

View 1 Replies View Related

Cisco VPN :: 5510 - SSL VPN Certificate Authentication

Aug 1, 2012

I'm changing SSL VPN from aaa authentication to both aaa and certs, Server 08 CA, 8.2 ASA 5510, ssl client 2.5.1025 and Windows 7 users. My question is what should be the template of the id cert that I receive from CA. ,

View 16 Replies View Related

Cisco :: Certificate Authentication At WLC 4402

Jan 18, 2012

we  are using Cisco Aironet 1130 AG and a Cisco 4402 WLC in our network. The certificate service is installed on a Windows 2008 R2 server. We use a standalone Root CA with a Enterprise Sub CA hierarchy. Issueing certificates to clients works fine. The vendor and ca certificates are installed on the WLC and the user have his user certificate. During implementation we used following document: url... Instead of Anonymous Bind, we use a service user to read in AD (works fine, too).
 
We use the Intel/PRO wireless utility on our Testclient and configured it for EAP-FAST and TLS. We can select the installed certificate in the utility, but when we try to connect, the utility throw the message: "Authentication failed due to an invalid certificate".We´ve logged the WLC and thats a part of the logfile (i´ve greyed out all enterprise data): [code]

View 3 Replies View Related

Cisco VPN :: 5520 - Disabling Automatic Certificate Selection But AnyConnect Selecting Automatically?

Apr 17, 2013

I am having anyconnect version 3.1.03103, windows7 & 8 and asa 5520 (8.4). I have gone through alot of work to solve this issue but it not hapening. On clientless ssl vpn it prompts me for manual certificate selection but on anyconnect client it is not. profile configuration is mentioned below. In the highlighted line below i have changed UserControllable="true" still no results.
  
<?xml version="1.0" encoding="UTF-8"?>
-<AnyConnectProfile xsi:schemaLocation="[URL]" xmlns:xsi="[URL]" xmlns="[URL]">-<ClientInitialization>
[Code]....

View 0 Replies View Related

Cisco VPN :: ASA 8.0.4 - IPad Client Certificate Authentication?

Jul 8, 2010

The IPAD VPN works great over token, radius and local authentication. But now we need to authenticate vpn client via digital certificate (only vpn authentication between client and gateway)? I'm not sure which certificate we should buy to authenticate vpn client.The plan is to install digital certifiacte on VPN Gateway (CISCO ASA 8.0.4) and IPAD Cisco IPSec client to eliminate user/pass authentication.

View 9 Replies View Related

Cisco VPN :: ASA5520 - SSLVPN With Aaa And Certificate Authentication

Sep 25, 2012

I have configured SSLVPN on a  asa5520 with aaa and certificate authentication.Both authentication works fine,but I find the client users can use any others' certificate to authentication,I want to binding the aaa account to user's certificate.everyone must use their own certificate.

View 1 Replies View Related

Cisco VPN :: 3rd Party Certificate And AAA Authentication ASA 5520

Oct 24, 2011

I am using a cisco asa5520 and i have set up remote access vpn with an AnyConnect connection profile.In the connection profile i have set up that users should authenticate using both certificate and AAA.Due to a high security requirement, the user certificate is issued from a 3rd party. This is working fine and the user now need a valid certificate and a username/password to authenticate successfully.I added the CA certificate as a associated trustpoint on the ASA box to get the certificate verification working.Problem:If Jane and Joe both have a valid certificate AND a valid username/password, Jane could authenticate using a combo of Joes certificate, and Janes username/password. Both are valid (isolated), but i only want jane to be able to authenticate with her username/password and her personal certificate.

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.1 802.1x EAP-TLS Machine Certificate Authentication

Jul 11, 2011

Looking for the steps to configure wired clients using certificate authentication only

- i.e., once a certificate is presented to the ACS that is issued by a trusted CA, the connection is permitted. 
 
No need to tell me about switch configuration.

View 3 Replies View Related

Cisco :: 4402 / Certificate Authentication For Clients?

Oct 16, 2011

I am using wireless system with certificate athentication ( CA Server ) and RADIUS server.
 
I want to know if certificate is not installed and configured in wireless client laptop.
 
Do client get athenticate in wireless system and get access of wireless network ?
 
Also want to know any configuration required in WLC CISCO 4402 for authentication with  CA server of client laptop.

View 2 Replies View Related

Cisco :: ACS 5.3 / Self Signed / Certificate Base Authentication

Oct 17, 2012

Our ACS (5.3) has self signed certificate, we have exported it and declared it in Certificate Authorities.We have exported it to have a Trusted Certificate for client machine.
 
This certificat has been installed on a laptop.The wlc is successfully setup for eap (peap & eap-fast has been tested > ok)I have this error in the log:
 
12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in  the client certificates chain.I think the Access Policies (identity & authorization) are misconfigured: [code]

View 1 Replies View Related

AAA/Identity/Nac :: ACS 5.2 Machine Certificate Authentication

May 23, 2011

Is there a way to authenticate a windows computer in ACS 5.2 for 802.1x only with a certificate.The Computer is from a different active directory than the one that is configured in ACS.I tried importing the cert into "external indentity Stores" > "certificate authorities", then setup the computer to use smart card or certificate, then selected the certificate from the other AD.when i look at the ACS log, here is the message i can see: 22044 Identity policy result is configured for certificate based authentication methods but received password based

View 1 Replies View Related

Cisco :: 4402 Controller Not Working With Certificate Authentication

May 16, 2011

I am enabling our wireless controllers to use 802.1x authentication for our wireless clients. Both computer and user are provided with certificate from CA server.I have 9 APs and 2 controllers installed in my infrastucture, one of the controllers is working fine with setting specified above but the other one is not.Both has same configuration and both seems identical with same model and IOS.

View 3 Replies View Related

Cisco AAA/Identity/Nac :: ACS 4.2 Certificate Based Authentication And Windows 7

Jan 9, 2012

We use a combination of Cisco ACS and Cisco catalyst 3560 switches for network authentication and authorization. Clients (Windows XP) have a certificate installed which will grand access to the network and put them in the correct VLAN. So far, so good. Some users are testing with Windows 7 in the same set-up as above and run into strange behaviour. The problem is that after a random timer the machine gets de-authenticated and nothing besides a reboot works to get the computer authenticated again (from a Windows point of view). It looks like this only happens to users who are using a certificate to authenticate, Windows 7 MAC bypass users have no such problems. If it occurs, the following logging appears in ACS: [code] We are using ACS 4.2(0) Build 124 and 3560-48PS switches with IOS 12.2(55).

View 4 Replies View Related

Cisco Switches :: ESW-540-24p - Switch Refuses EAP Certificate Authentication

Jan 26, 2012

The problem is that with any EAP method of authentication that utilizes authentication with a certificate or smart card the switch will somehow impede authentication with the radius server. The EAP Methods I have tried on a SG-300-28P and ESW-540-24p switch are:EAP-TLS, EAP-FAST, PEAP Smart Card, I know that the radius server works because when I switch to a different switch the client works just fine, or if I keep the client on this switch and use any password method (PEAP (MSCHAPv2), MSCHAPv2, EAP-MD5) it also works. In both cases the radius server logged a EAP Timeout. Again this only happens when any EAP method or version of authentication used deals with certificate authentication.Only with the 3 Cisco small business switches we have, have I ran into this problem. The Cisco Aironet and Other Switches (by other manufacturers) work just fine.

View 2 Replies View Related

Cisco AAA/Identity/Nac :: IPhone / IPad Certificate Authentication By ACS 5.x?

Apr 10, 2012

Currently the ACS 5 is authenticate the iPhone/iPad by using the MAC address (which is entered manually) and AD user/password, i need to do that with certificate, so it will be scalable.

View 2 Replies View Related

Cisco Wireless :: WLC 2504 Certificate Error Web Authentication

Dec 19, 2012

When I get the web authentication dialog from 1.1.1.1 it starts of with a certificate error. Is there a way to prevent this certificate error while using the self signed certificate?  I have not been successful installing certificates on my WLC - problems with OpenSSL and others.  Want to get this deployed but don't want users to have to encouter that error. 

View 1 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved