Cisco VPN :: ASA 5540 - Client IPsec Authentication Using Digital Certificate

Sep 11, 2011

I need some clarification with configuring my ASA 5540 with IOS 8.3x for remote client certificate authentication.
 
I have my root certificate from the Microsoft CA but not quite sure if the outlined steps in the Cisco websites below are exactly what I need since the firewall seems to be generating the certificate to be used. [URL]. 
 
My setup is such that the CA will issue certificates to the remote clients and to the ASA firewall, and the remote clients will authenticate and connect with their certificates which the firewall constantly updates using the CRL update from the CA. The dhcp pool is to be issued by the domain controller on the inside network and not on the firewall. Any examples or best practice steps to achieve this.

View 8 Replies


ADVERTISEMENT

Cisco VPN :: ASA 5540 AnyConnect Client Certificate Authentication

Jan 22, 2012

I want to connect with AnyConnect Secure Mobility Client 3.0.2052 to ASA 5540 Version 8.4 and SSL Premium License.The clients using Maschine Certificate to authenticate to ASA. This works fine.Now I want to setup a DAP to verifiy the client against the Microsoft AD using LDAP. I configured LDAP server in ASA see:aaa-server LDAP protocol ldap aaa-server LDAP (inside) host ldap.com ldap-base-dn DC=x,DC=x,DC=x,DC=com ldap-scope subtree ldap-login-password ***** ldap-login-dn ***** server-type microsoft ,I can see that it works if I test the server via the testbotton in ASDM and I see it in CLI "debug ldap 255" also. But if I configure in DAP: AAA Attribute ID:memberOf = DomainMember I can not see any request to the LDAP server during I try to connect with the Client und the DAP doesn't match.

View 2 Replies View Related

Cisco VPN :: 5540 ANyConnect Client Certificate Authentication

Jul 13, 2011

want to connect with AnyConnect Secure Mobility Client 3.0.2052 to ASA 5540 Version 8.4 and SSL Premium License.The clients using Maschine Certificate to authenticate to ASA. This works fine.
 
Now I want to setup a DAP to verifiy the client against the Microsoft AD using LDAP. I configured LDAP server in ASA see: [code]I can see that it works if I test the server via the testbotton in ASDM and I see it in CLI "debug ldap 255" also. But if I configure in DAP: AAA Attribute ID:memberOf = Domain Member I can not see any request to the LDAP server during I try to connect with the Client und the DAP doesn't match.

View 3 Replies View Related

Cisco VPN :: ASA 8.0.4 - IPad Client Certificate Authentication?

Jul 8, 2010

The IPAD VPN works great over token, radius and local authentication. But now we need to authenticate vpn client via digital certificate (only vpn authentication between client and gateway)? I'm not sure which certificate we should buy to authenticate vpn client.The plan is to install digital certifiacte on VPN Gateway (CISCO ASA 8.0.4) and IPAD Cisco IPSec client to eliminate user/pass authentication.

View 9 Replies View Related

Cisco AAA/Identity/Nac :: Digital Certificate On The ACS Wireless Network Acs 4.2

Dec 20, 2011

Digital certificate on the ACS Wireless network: 

Checking the configuration of the Wireless Notebook no longer requires the digital certificate of the ACS and NVR122 NVR123as worked in the past. The certificate is generated for the ACS root CA trusted by the COMPANY, so that the public CA certificate supersedes theprevious ACS. Therefore, any host that is in the field of company would have access to the wireless network. With this, the 8021x is working with a certificate that is common to all hosts in the field of business. How do I change it? 

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ASA-5510 / IPSec Client Authentication Based On AD Group Membership?

Aug 26, 2009

Looking to fine tune Cisco IPSec client RA-VPN authentication on our ASA-5510.  Currently using NT Domain authentication.  It's been working fine for quite a while but is too broad a brush.  It authenticates anyone who is in the domain.  We need to only authenticate folks who are in a specific AD remote access security group.  I'm testing LDAP but am getting the same results.  I can get it to authenticate based on overall domain membership but can't seem to figure out how to check group membership. 
 
We've updated to ASA 8.2(1) and ASDM 6.2(1).  It seems to have more LDAP functionality but I'm not an LDAP expert.  I've posted an image of the LDAP server dialog from the ASDM.  I originally tried putting the Group DN in the Base DN field but kept getting a "can't find user" error when testing.  I also tried adding the group info in the "LDAP parameters for group search" field at the bottom.  But it doesn't seem to be looking there.  Note that the current value is the Group Base DN only.  I also tried putting "memberOf=" in front of that.  Still no luck.  The values shown in the image work for simple domain membership.

View 3 Replies View Related

Cisco VPN :: ASA 5540 Local Certificate Authority In Failover

Jul 12, 2011

i was setting up an ssl vpn on an asa 5540 (8.2) but can't set up the local ca authority
 
its an active/standby failover pair
 
i knew it wasn't enabled on active/active but i didn't realise it was also not enabled on active/passive has any one came across this or know whether it can be enabled?

View 4 Replies View Related

Cisco Firewall :: 5540 - Remote VPN Authentication Fail?

Mar 15, 2011

wht would be change on configuration of remote access VPN on asa 5540.
  
4|Mar 16 2011|15:26:01|713903|||Group = tesTGroup, Username = GSDc2gsIdc, IP = 5.1.9.9, Error: Unable to remove PeerTblEntry3|Mar 16 2011|15:26:01|713902|||Group = tesTGroup, Username = GSDc2gsIdc, IP = 5.1.9.9,

[Code].....

View 3 Replies View Related

Cisco Firewall :: 5540 - Multicast Over Lan To Lan Ipsec Tunnel

May 3, 2011

I need to configure multicast between 2 Csico 5540's lan to lan ipsec tunnel for a Voip application.

View 2 Replies View Related

Cisco VPN :: Set Up Remote Access IPsec VPN On Pair Of ASA 5540

Feb 6, 2011

I'm trying to set up remote access IPsec VPN on a pair of ASA 5540 without much success. I can connect with a client on the outside, and when I try to ping something on the inside I can see the ping requests reach the target but the answers don't come back to the VPN client. I've tried with different NAT rules without success.

View 3 Replies View Related

Cisco Routers :: WRVS4400N Connecting To ASA 5540 IPSec L2L?

May 15, 2013

I have a remote WRVS4400N that has a dynamic outside address that's initiating a connection to a ASA 5540 with a static address.
 
I'm all set on the ASA side.  My questions relate to the 4400N.  It doesn't appear to have a very robust configuration/setup available for L2L tunnels.  For one my encryption is limited to 3DES.
 
But I'm wondering if I'm missing something in the config.  I have to set up L2L tunnels to two other firewalls.  One firewall has 3 discontiguous networks, and the other has 2.  I have 5 tunnels setup, is this the only way?  What I would like to see is 2 tunnels, one for each remote firewall, but then each tunnel would have access to the appropriate networks (like on the ASA side), is there anyway to do this?  Perhaps a command line util for this unit?
 
My other issue relates to the tunnel-groups I have set up on my ASA's, and I would like to use appropriate names...however I can't seem to find a way to enable this to happen on the 4400N side....what I mean is I need a way to create either a "keyword identifier" or a "firewall identifier" on the 4400N and I don't see an appropriate field in the web interface.

View 3 Replies View Related

Cisco VPN :: 5510 - SSL VPN Certificate Authentication

Aug 1, 2012

I'm changing SSL VPN from aaa authentication to both aaa and certs, Server 08 CA, 8.2 ASA 5510, ssl client 2.5.1025 and Windows 7 users. My question is what should be the template of the id cert that I receive from CA. ,

View 16 Replies View Related

Cisco :: Certificate Authentication At WLC 4402

Jan 18, 2012

we  are using Cisco Aironet 1130 AG and a Cisco 4402 WLC in our network. The certificate service is installed on a Windows 2008 R2 server. We use a standalone Root CA with a Enterprise Sub CA hierarchy. Issueing certificates to clients works fine. The vendor and ca certificates are installed on the WLC and the user have his user certificate. During implementation we used following document: url... Instead of Anonymous Bind, we use a service user to read in AD (works fine, too).
 
We use the Intel/PRO wireless utility on our Testclient and configured it for EAP-FAST and TLS. We can select the installed certificate in the utility, but when we try to connect, the utility throw the message: "Authentication failed due to an invalid certificate".We´ve logged the WLC and thats a part of the logfile (i´ve greyed out all enterprise data): [code]

View 3 Replies View Related

Cisco VPN :: Anyconnect 3.1 Certificate Authentication

Dec 20, 2012

I am doing a proof of concept with anyconnect and certificate authentication. with 3.0 i was able to do this with a certificate from my CA and a client cert in a smartcard. I have upgraded to 3.1 and now it doesnt work anymore ( i need 3.1 and Asa 9.0 because of IPv6 Split-tunneling).Reading the forum i got some info that the ASA cert must have a EKU value of 'Server Authentication' and the client cert must have a similar EKU (client Auth)

View 4 Replies View Related

Cisco VPN :: 5540 - Prompting For Domain Name When Requesting Authentication To User

Jun 26, 2011

I have a remote access VPN profile configured on an ASA 5540. This profile is almost identical to the same profiles configured on other ASA 5540. The profile is linked to Active Directory for authentication. For some reason, users are not being prompted for the domain name field when connecting to the firewall, on the other firewalls they get prompted for all three (user/pass/domain).
 
All the firewalls are running 8.0(4) 32. And the following is the configuration of the firewall that I am experiencing issues with:
 
ip local pool TESTVPN 10.244.124.1-10.244.127.254 mask 255.255.252.0
 
group-policy TESTCERT internal
group-policy TESTCERT attributes
banner value **** WARNING ****
banner value You are Now Successfully Connected (code)

View 1 Replies View Related

Cisco Firewall :: ASA 5540 - 3000 Simultaneous IPsec Connections

May 15, 2013

We are planning to use an ASA 5540 to terminate about 3000 IPSec connections. The maximum supported IPsec VPN Peers for this platform ist 5000, so this should be ok in theory.
 
What is a bit unclear to me is what exactly happens when (for whatever reason) all 3000 clients try to connect at once ? Perhaps it's not at once but depending on timers this could mean 3000 incoming IPsec connection within 10-20 seconds.
 
Will the the ASA cope with it ? I can't find any info regarding this on CCO. It's also not that easy to test/simulate.

View 2 Replies View Related

Cisco VPN :: ASA5520 - SSLVPN With Aaa And Certificate Authentication

Sep 25, 2012

I have configured SSLVPN on a  asa5520 with aaa and certificate authentication.Both authentication works fine,but I find the client users can use any others' certificate to authentication,I want to binding the aaa account to user's certificate.everyone must use their own certificate.

View 1 Replies View Related

Cisco VPN :: 3rd Party Certificate And AAA Authentication ASA 5520

Oct 24, 2011

I am using a cisco asa5520 and i have set up remote access vpn with an AnyConnect connection profile.In the connection profile i have set up that users should authenticate using both certificate and AAA.Due to a high security requirement, the user certificate is issued from a 3rd party. This is working fine and the user now need a valid certificate and a username/password to authenticate successfully.I added the CA certificate as a associated trustpoint on the ASA box to get the certificate verification working.Problem:If Jane and Joe both have a valid certificate AND a valid username/password, Jane could authenticate using a combo of Joes certificate, and Janes username/password. Both are valid (isolated), but i only want jane to be able to authenticate with her username/password and her personal certificate.

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.1 802.1x EAP-TLS Machine Certificate Authentication

Jul 11, 2011

Looking for the steps to configure wired clients using certificate authentication only

- i.e., once a certificate is presented to the ACS that is issued by a trusted CA, the connection is permitted. 
 
No need to tell me about switch configuration.

View 3 Replies View Related

Cisco :: 4402 / Certificate Authentication For Clients?

Oct 16, 2011

I am using wireless system with certificate athentication ( CA Server ) and RADIUS server.
 
I want to know if certificate is not installed and configured in wireless client laptop.
 
Do client get athenticate in wireless system and get access of wireless network ?
 
Also want to know any configuration required in WLC CISCO 4402 for authentication with  CA server of client laptop.

View 2 Replies View Related

Cisco :: ACS 5.3 / Self Signed / Certificate Base Authentication

Oct 17, 2012

Our ACS (5.3) has self signed certificate, we have exported it and declared it in Certificate Authorities.We have exported it to have a Trusted Certificate for client machine.
 
This certificat has been installed on a laptop.The wlc is successfully setup for eap (peap & eap-fast has been tested > ok)I have this error in the log:
 
12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in  the client certificates chain.I think the Access Policies (identity & authorization) are misconfigured: [code]

View 1 Replies View Related

AAA/Identity/Nac :: ACS 5.2 Machine Certificate Authentication

May 23, 2011

Is there a way to authenticate a windows computer in ACS 5.2 for 802.1x only with a certificate.The Computer is from a different active directory than the one that is configured in ACS.I tried importing the cert into "external indentity Stores" > "certificate authorities", then setup the computer to use smart card or certificate, then selected the certificate from the other AD.when i look at the ACS log, here is the message i can see: 22044 Identity policy result is configured for certificate based authentication methods but received password based

View 1 Replies View Related

Cisco :: 4402 Controller Not Working With Certificate Authentication

May 16, 2011

I am enabling our wireless controllers to use 802.1x authentication for our wireless clients. Both computer and user are provided with certificate from CA server.I have 9 APs and 2 controllers installed in my infrastucture, one of the controllers is working fine with setting specified above but the other one is not.Both has same configuration and both seems identical with same model and IOS.

View 3 Replies View Related

Cisco AAA/Identity/Nac :: ACS 4.2 Certificate Based Authentication And Windows 7

Jan 9, 2012

We use a combination of Cisco ACS and Cisco catalyst 3560 switches for network authentication and authorization. Clients (Windows XP) have a certificate installed which will grand access to the network and put them in the correct VLAN. So far, so good. Some users are testing with Windows 7 in the same set-up as above and run into strange behaviour. The problem is that after a random timer the machine gets de-authenticated and nothing besides a reboot works to get the computer authenticated again (from a Windows point of view). It looks like this only happens to users who are using a certificate to authenticate, Windows 7 MAC bypass users have no such problems. If it occurs, the following logging appears in ACS: [code] We are using ACS 4.2(0) Build 124 and 3560-48PS switches with IOS 12.2(55).

View 4 Replies View Related

Cisco Switches :: ESW-540-24p - Switch Refuses EAP Certificate Authentication

Jan 26, 2012

The problem is that with any EAP method of authentication that utilizes authentication with a certificate or smart card the switch will somehow impede authentication with the radius server. The EAP Methods I have tried on a SG-300-28P and ESW-540-24p switch are:EAP-TLS, EAP-FAST, PEAP Smart Card, I know that the radius server works because when I switch to a different switch the client works just fine, or if I keep the client on this switch and use any password method (PEAP (MSCHAPv2), MSCHAPv2, EAP-MD5) it also works. In both cases the radius server logged a EAP Timeout. Again this only happens when any EAP method or version of authentication used deals with certificate authentication.Only with the 3 Cisco small business switches we have, have I ran into this problem. The Cisco Aironet and Other Switches (by other manufacturers) work just fine.

View 2 Replies View Related

Cisco AAA/Identity/Nac :: IPhone / IPad Certificate Authentication By ACS 5.x?

Apr 10, 2012

Currently the ACS 5 is authenticate the iPhone/iPad by using the MAC address (which is entered manually) and AD user/password, i need to do that with certificate, so it will be scalable.

View 2 Replies View Related

Cisco VPN :: ASA 8.2(5) / AnyConnect Fails At First Attempt (certificate Authentication)

Jan 25, 2012

I'm trying to set up vpn with ASA 8.2(5) and Anyconnect 3.0.4235. The goal is  to force user to connect from registered machines only (winXP & win7 x32 and  x64). To do this, I used machine certificates issued by own CA. Certificate  is installed in machine store. I use double authentication (aaa & certificates). Everything works fine, AnyConnect browses cert store, ASA  validating machine certificate, then user is prompted for username/password  and finally if all is correct - connection is established.My problem is, that for new installation (new host), AnyConnect fails at first connection attempt. If I use aaa authentication only, connection is established, but if I use aaa & certificates - connection fails. The  appropriate .xml profile is predeployed at client host asa well as machine and root certificates.Important: When first try (aaa auth) succeded, others are always OK (with aaa. certificate or aaa & certificate authentication). Only the first one fails.The goal is to succesfuly establish connection with aaa & cert.
 
With DART i get:
******************************************
Type        : Error
Source      : acvpnagent 
Description : Function: CTransportWinHttp::WinHttpCallback
File: .CTransportWinHttp.cpp
Line: 2150

[code]....
 
Certificate is valid for sure, and as I mentioned before, if first use aaa only, the second try is OK. At ASA with debug crypto ca 255 can't see any certificate from client.

View 3 Replies View Related

Cisco Wireless :: WLC 2504 Certificate Error Web Authentication

Dec 19, 2012

When I get the web authentication dialog from 1.1.1.1 it starts of with a certificate error. Is there a way to prevent this certificate error while using the self signed certificate?  I have not been successful installing certificates on my WLC - problems with OpenSSL and others.  Want to get this deployed but don't want users to have to encouter that error. 

View 1 Replies View Related

Cisco VPN :: 5505 Certificate Only Authentication Method With AnyConnect

Jul 7, 2011

Any instructions to configure an ASA to allow authentication by certificate only on an AnyConnect vpn?I'm running an ASA 5505 with 8.4(1) and AnyConnect 2.4.7030 on an Android phone.I currently have the AnyConnect client connecting ok using username / password for authentication.
 
I have loaded the company root certificate (internally generated) into the ASA "CA Certificates" and generated an Identity Certificate for the ASA.

View 1 Replies View Related

Cisco VPN :: ASA 5520 - Certificate Authentication Using IPhone / Blackberry

Oct 25, 2011

I have an issue when I´m trying to authenticate my iphone&blackberry device with ASA 5520 using certificates. It seems that certificates are working fine, pass the ike phase 1 but never complete the phase 2. When i use pres hared keys everything works fine with both devices.

If you consider necessary, i can provide my current configuration in asa. 

View 2 Replies View Related

Cisco Firewall :: ASA 5540 And FTP Over Implicit TLS / SSL Client

Jan 3, 2012

I am having the EXACT same problem as this user:URL
 
Error:   GnuTLS error -53: Error in the push function.
Response:   425 Can't open data connection.
Error:   Failed to retrieve directory listing
Response:   421 Connection timed out.
 
However I am using implicit instead of explicit. Here are the outputs of items that have been requested in the other thread.

View 1 Replies View Related

Cisco Firewall :: ASA 5540 - IPSec Tunnel / ASA Refuses To Encrypt Traffic But Decrypts It

May 31, 2012

This has to be the most weirdest issue I have seen since the past year on my ASA. I have an ASA 5540 running the 8.4(2) code without any issues until I stumbled upon this problem last week and I have spent sleepless nights with no resolution! So, take a deep breath and here is a brief description of my setup and the problem:
 
A Simple IPSEC tunnel between my ASA 5540 8.4(2) and a Juniper SSG 140 screen OS 6.3.0r9.0(route based VPN)
 
The tunnel comes up without any issues but the ASA refuses to encrypt the traffic but decrypts it with GLORY! below are some debug outputs, show outputs and a packet tracer output which also has an explanation of my WEIRD NAT issue:  

My setup - ( I wont get into the tunnel encryption details as my tunnel negotiations are **** perfect and comes up right off the bat when the ASA is configured as answer only)
 
CISCO ASA - IPSec networking details
LOCAL NETWORK - 10.2.4.0/28
REMOTE NETWORK - 192.168.171.8/32
JUNIPER SSG 140 - IPSec networking details
PROXY ID: LOCAL NETWORK - 192.168.171.8/32
REMOTE NETWORK - 10.2.4.0/28 
HOST NAME# sh cry ipsec sa peer <JUNIPER SSG PEER>
peer address: <JUNIPER SSG PEER>
[code]... 

As you can see, there is no echo reply packet at all as the packet is not being encapsulated while it is being sent back. I have been going mad with this. Also, this is a live production multi tenant firewall with no issues at all apart from this ****** ip sec tunnel to a juniper!!

Also, the 192.168.10.0/24 is another IP Sec tunnel remote network to this 10.2.4.0/28 network and this IP SEC tunnel has a similar Juniper SSG 140 screen os 6.3.0r9.0 at the remote end and this woks like a charm without any issues, but the 171 is not being encrypted by the ASA at all.

View 2 Replies View Related

Cisco Wireless :: 2504 -configure MAC Authentication With Certificate Based

Jan 8, 2013

I have cisco 2504 WLAN controller with 7.4 IOS. My query is can I configure the MAC authentication with certificate based. And without using any external servers like Radius, ACS and LDAP.
 
May I know, If there is a option on WLC…

View 4 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved