Cisco VPN :: ASA 5545-X / Cert And AD Authentication Using AnyConnect 3.0.xxxx?
May 29, 2012
I have a need to utilize two factor authentication using a machine certificate and users AD crednetials. What we would like to do is to have the ASA and AnyConnect verify the certificate exists, check against our in house CA for validity, if valid pass the user credentials to the AD servers and establish the tunnel. If not valid quarantine the session and pop a message to the user to contact the help desk ASAP. My guess is the following (using ASDM 6.6, ASA 8.6.1, ASA 5545-X):
1. under the connection profile I have select BOTH for authentication and added a AAA server group.
2. under Cert Management I have added the 3 certs that are present on all company mobile assets
- Cert America
- Cert Europe
- Cert Root
3. I have an identity cert installed from the company CA and it is selected as the device cert under connection profiles
4.Local Cert Authority is Disabled
5.Under Remote Access>Advanced>Certs for AnyConnect>
- I have mapped DefaultCertifiateMap pri 10 to Company_Cert connection profile
- The mapping is looking for Subject: CN: <Contains> (string) ----where string is a common component of each Cert listed in #2.
Question #1 - Is this correct for utilizing certs and AD auth or have a missed any steps?
Users are directed to a an initial installation URL - where the AnyConnect client performs the installation and passes down the intial AC profile which auths using only AD creds. On subsequent connections users who pass the certificate mapping check are migrated to the connection profile which uses the dual authentication method.
Question #2 - When I attempt a new installation of AnyConnect using the two factor URL . I receive an error "certificate validation error" and the installation fails - for the life of me I can not figure out why???? The machine has all three certs, using IE9 as the browser.
View 3 Replies
ADVERTISEMENT
Jan 21, 2013
I've seen a bunch of discussions on the untrusted server cert error with self signed certs. But I have a valid wildcard that I use on my ASA. How do I make that work with out the untrusted server cert error?
View 5 Replies
View Related
Sep 19, 2010
I have been configuring anyconnect VPN. The requirement from customer is to configure MAC address based authentication for anyconnect clients. I have gone through various cisco documents. I couldnot find this option explained. Is MAC address based authentication possible in anyconnect vpn without having AAA server in place?There is an option to select end point attribute as MAC address, while creating Dynamic access policies. But at the host scan configuration of Cisco secure desktop, there are no options for performing MAC retrieval.
My ASA is running on version 8.2(1) and ASDM version 6.3(1) and a memory of 512 MB RAM. Any way for MAC based authentication in cisco anyconnect VPN.
View 3 Replies
View Related
Mar 3, 2013
I have a query regarding MAC authentication for end systems on ASA 5520. Inspite of proving MAC address in endpoint authentication along with AAA, only AAA attribute policies are getting created. MAC authentication is not happening.
Is there any requirement like LDAP or AD is required for MAC authentication?
View 1 Replies
View Related
Dec 20, 2012
I am doing a proof of concept with anyconnect and certificate authentication. with 3.0 i was able to do this with a certificate from my CA and a client cert in a smartcard. I have upgraded to 3.1 and now it doesnt work anymore ( i need 3.1 and Asa 9.0 because of IPv6 Split-tunneling).Reading the forum i got some info that the ASA cert must have a EKU value of 'Server Authentication' and the client cert must have a similar EKU (client Auth)
View 4 Replies
View Related
Jan 17, 2012
I would like to configure RADIUS authentication and authorization in ASA 8.2 (ADSM 6.2) by configuring Cisco anyconnect VPN client connection profile.So the end result would be user enters his username, password and a token in any connect client, then the RADIUS server validates this information and sends the user attributes to ASA upon successful authentication.I would be grateful if i can get the step by step procedure to achieve this:The below is what iam trying to do:
1) Create an AAA server group.
2) Add the AAA server to this group (here its RADIUS).
3) create an LDAP-cisco ASA group mapping (for authorization)
3) Add a group policy and create IP pool. (We can add two types of group policies, one is internal and external. Not sure which one to select here).
4) create a any connect vpn client connection profile. Here we specify the created server group name, IP pool and group policy.(While creating a connection profile, it asks us to select an interface. As of now i have only one interface which is "inside". Not sure what the interface "outside" means).
View 5 Replies
View Related
Dec 26, 2012
I have configured an Asa 5510 as SSL vpn gataway ver 8.2(4) Anyconnect Essential. The clients are authenticated via Radius and OTP password.All work well since yesterday. When I have did same configuration changes. My objective was has that the clients accept the self signed certificate issued by the Asa whitout give the warning about the private cert.
So I have try to generaste a new certificate with FQDN equal to myasa.mydomain.com and also a CN=myasa
Then I have change the profile XML file of my anyconnect in this way: [code]
View 1 Replies
View Related
Dec 18, 2012
Recently we updated to the Anyconnect 3.0 client. I see the new 3.1 client is out and we are currently testing it for production. My question though is since updating to 3.0 our end users receive a message at the bottom of their client stating "No valid certificates available for authentication" They can still VPN in since we dont do certificate based authentication but we have been getting tons of questions on this. I would like to stop these messages from appearing and I am not sure if its just how the new client behaves or if its something configured on our ASA's.
View 1 Replies
View Related
Jul 8, 2012
I have an ASA 5520 and I am having trouble getting the AnyConnect VPN authentication timeout feature to work properly. I thought I did have it working a couple of months ago, but right now it is not giving me more than the default 12 seconds. I have tried intervals of anywhere from 25 seconds up to 120. I am currently runnign version 6.4 on the ASA and AnyConnect 2.5.3055.
View 8 Replies
View Related
Nov 28, 2011
I can't seem to find any documentation to how to get this working. I'm trying to make it so that only users of a certain AD group are authenticated for my Anyconnect VPN on my ASA 8.2.2
I've found the documentation on how to prevent logins using the msNPAllowDialin attribute, but not how to base it on group membership (memberOf) [code] I need to do any kind of restrictions inside the actual group-policy TESTGROUP ?
View 2 Replies
View Related
Jan 22, 2012
I want to connect with AnyConnect Secure Mobility Client 3.0.2052 to ASA 5540 Version 8.4 and SSL Premium License.The clients using Maschine Certificate to authenticate to ASA. This works fine.Now I want to setup a DAP to verifiy the client against the Microsoft AD using LDAP. I configured LDAP server in ASA see:aaa-server LDAP protocol ldap aaa-server LDAP (inside) host ldap.com ldap-base-dn DC=x,DC=x,DC=x,DC=com ldap-scope subtree ldap-login-password ***** ldap-login-dn ***** server-type microsoft ,I can see that it works if I test the server via the testbotton in ASDM and I see it in CLI "debug ldap 255" also. But if I configure in DAP: AAA Attribute ID:memberOf = DomainMember I can not see any request to the LDAP server during I try to connect with the Client und the DAP doesn't match.
View 2 Replies
View Related
Jan 25, 2012
I'm trying to set up vpn with ASA 8.2(5) and Anyconnect 3.0.4235. The goal is to force user to connect from registered machines only (winXP & win7 x32 and x64). To do this, I used machine certificates issued by own CA. Certificate is installed in machine store. I use double authentication (aaa & certificates). Everything works fine, AnyConnect browses cert store, ASA validating machine certificate, then user is prompted for username/password and finally if all is correct - connection is established.My problem is, that for new installation (new host), AnyConnect fails at first connection attempt. If I use aaa authentication only, connection is established, but if I use aaa & certificates - connection fails. The appropriate .xml profile is predeployed at client host asa well as machine and root certificates.Important: When first try (aaa auth) succeded, others are always OK (with aaa. certificate or aaa & certificate authentication). Only the first one fails.The goal is to succesfuly establish connection with aaa & cert.
With DART i get:
******************************************
Type : Error
Source : acvpnagent
Description : Function: CTransportWinHttp::WinHttpCallback
File: .CTransportWinHttp.cpp
Line: 2150
[code]....
Certificate is valid for sure, and as I mentioned before, if first use aaa only, the second try is OK. At ASA with debug crypto ca 255 can't see any certificate from client.
View 3 Replies
View Related
Jul 7, 2011
Any instructions to configure an ASA to allow authentication by certificate only on an AnyConnect vpn?I'm running an ASA 5505 with 8.4(1) and AnyConnect 2.4.7030 on an Android phone.I currently have the AnyConnect client connecting ok using username / password for authentication.
I have loaded the company root certificate (internally generated) into the ASA "CA Certificates" and generated an Identity Certificate for the ASA.
View 1 Replies
View Related
Jul 13, 2011
want to connect with AnyConnect Secure Mobility Client 3.0.2052 to ASA 5540 Version 8.4 and SSL Premium License.The clients using Maschine Certificate to authenticate to ASA. This works fine.
Now I want to setup a DAP to verifiy the client against the Microsoft AD using LDAP. I configured LDAP server in ASA see: [code]I can see that it works if I test the server via the testbotton in ASDM and I see it in CLI "debug ldap 255" also. But if I configure in DAP: AAA Attribute ID:memberOf = Domain Member I can not see any request to the LDAP server during I try to connect with the Client und the DAP doesn't match.
View 3 Replies
View Related
Nov 6, 2012
I have been successfully able to setup Cisco AnyConnect VPN on ASA 5520 with 8.4 code. I have set it to authenticate against the RADIUS Server (Microsoft Windows 2008 NPS server). I have noticed one thing, on the server under "Constraints and Authentication Method". I picked MS-CHAP-v2, but it is considered Less secure authentication methods. I can click on Add and choose other Authentication methods like Smart Card or other Certificate, PEAP, EAP-MSCHAP v2. I picked PEAP but then the VPN does not work.
So first of all does it really matter if I just leave it to MS-CHAP-v2? Because from my understanding is that AnyConnect will authenticate to ASA and then ASA in the backend talks to the RADIUS server so from a security stand point this scenario shouldn't it be sufficient as no un encrypted or less secure information is available to the outside world? Secondly is there any documentation on using PEAP with Cisco AnyConnect?
View 4 Replies
View Related
Jun 3, 2012
I'm getting this error message on syslog server (Kiwi syslog)access-list logging rate-limited or missed XXXX packets i did the following commands but still I'm getting the error :logging buffered 16386 debugginglogging rate-limit all 5000no logging consoleno logging monitorip access-list logging interval 30000ip access-list log-update threshold 30000 i don't want to report to the console or monitor i want to report direct to syslog server, because I'm monitoring all the traffic (permit ip any any log) !
View 2 Replies
View Related
Dec 6, 2012
Just a few questions. We are looking to deploying Cisco ASA 5545 into a network. I have a couple of issues with designing the network correctly.
We need to be able to scale out to more hosts than a single VLAN, we would also be considering adding 4948E switch behind the ASA and potentially a stack in front.
The problems are:
1) If we have an outside stack of public 4948E (so we can connect some hosts outside the firewall, such as additional ASA's running in NAT mode) for VPN. Is this a reliable, recommended configuration? The reason being we need to have the ability to add other seperate ASA protected networks that we don't want going through the 5545 as it's going to quickly run it out of capacity. If I have the L3 switch stack in front I'm guessing we would have a small subnet to link upstream and then sub-subnetwork into two blocks, one on the inside interface and one on the L3 switch for the other hosts? Or would it be better to let the upstream provider do this, and then just get them to provide us with two smaller subnets rather than one big one? As below if we do L3 stack ourselves we would need to small subnets, one to communicate with upstream and one to link ASA subnets. This seems like a waste of IP's. I was wondering if I could use Internal IP space on the L3 > ASA link, but I thought that could be an issue for BOGONS list.
2) If I want to extend the inside network (Cisco ASA would not run NAT, just public IP's on the inside, routed to the outside interface of the ASA) there are two ways. Use the ASA to create subinterfaces/VLANs (but that would be routed via the ASA - may be a performance hit?) or use a L3 switch behind the ASA. How does one accomplish running L3 switch behind ASA properly?
View 5 Replies
View Related
Dec 25, 2012
On CIsco ASA 5545x not able access finale application through SSL VPN, error shown is "class not found exception" and "bancs2000.bancs2000.class" default profile is used in VPN while we trying access HTTPS internal web server. Same behavior observed in version 8.6 and 9.1.
Above errors observed during JAVA loading process, browsers like Mozilla, Chrome and IE are tried.
View 2 Replies
View Related
Mar 26, 2013
Currently have an ASA 5545. What I want to do is allow our support team to perform ALL show commands (up to and including show run) but not enable them to perform ANY configuration changes on the devices (not get into config t). This is to allow them to check ARP tables, routing protocol status, etc
i don't have access to the ASA at the moment and haven't been able to figure it out in IOS, i'm assuming its not too hard.
View 1 Replies
View Related
Sep 26, 2012
I am trying to configure my ASA 5545 firewall in area 0 but when I do so, the neighbor relationship never establishes. A debug on OSPF gives only one response: [code] Why the ASA is ignoring the input packets?
View 4 Replies
View Related
Feb 4, 2013
We are planning to upgrade the ASA license in an A/S pair by adding the ASA5500-SC-20= license. The ASA is 5545 and runs 8.6. According to documentation, after 8.3 version, the ASAs can share a license features and do not require the same license on both boxes. I run a test in GNS3 with 8.4(2) images and I saw that by adding the 'activation-key' command only on the primary unit did the job as the 'show activation-key' output shows. In order to be 100% sure would like to verify the following:
Putting the activation-key only on the primary unit is enough and there is no need to do anything elseIn case the primary unit is standby, again we have to put the actication-key command on the primary unit (I am asking this because the 'activation-key' command is not listed under the commands that are not replicated to the other unitk, but doesn't make sense to be replicated since the activation-key is 'tied' with the S/N of the device).
View 4 Replies
View Related
Feb 28, 2013
I've configure Ldap authentication on ASA 5545 to allow only a certain user group. I mapped the the memberOf group but this seems not to be working as it allows all AD users. [code]
View 1 Replies
View Related
Apr 1, 2013
I installed a chained SSL cert on our anchor/guest 4402 a few years ago.We now have a need to replace the 4402 w/ a 5508, and I got everything configured, ready to go, except that darn cert.I can no longer locate the private key that was used to sign the original CSR.Is there any way to export the current cert from the 4402, so that I can import to the 5508? Or am I SOL?
View 3 Replies
View Related
May 1, 2013
I am wanting to use a cert signed by a digicert or verisign on my ASA so that anyconnect doesn't frreak out with the untrusted cert. I have created the CSR, and I uploaded the certificate, but it is still showing the old self signed untrusted cert.
View 5 Replies
View Related
Aug 14, 2005
When trying to do a cut-n-paste enrollment of a cisco 3725 router with a microsoft windows server 2003 CA i get the following error on the CA.Certificate Services denied request 8675 because The request subject name is invalid or too long. 0x80094001 (-2146877439). The request was for OID.1.2.840.113549.1.9.2=rtr31slied3.unit4agresso.com. Additional information: Error Constructing or Publishing Certificate This is when i use the router or webserver certificate.The only template that does work is the user certificate but then you get error messages that the router name doesnt match the cert name.The 3725 is running ios version 12.3(14)T3.How can we get the right templates to work ?
View 3 Replies
View Related
Dec 5, 2011
how to install a wildcard certificate with only the .cer file. I've found quite a few things here in the forums, but everyone seems to also have a pkcs12 file, which I do not.
This is an ASA 5510 on ver 8.4.
View 6 Replies
View Related
Oct 14, 2012
I know that CSRs cannot be generated with multiple names, but if the SAN is added after the cert is ordered from Geo Trust, Veri sign, etc. can the CSS support using the cert?
View 1 Replies
View Related
Apr 15, 2013
I am basically looking to install the wildcard on the outside interface for my ASA
View 1 Replies
View Related
Sep 24, 2012
I have a cisco 5508 WLC that I have setup WebAuth on and trying to install the certificate on. I have generated the csr and gotten my cert from Verisign (X.509, server platform=apache). I have followed the instruction via the cisco documentation url...I found an error in uploading and find out how to encrypt mykey: url...
I am also having exactly the same issue with a certificate from Thawte. I followed the unchained guide and have tried both with and without a password in the initial step key generation step, requesting a new cert each time. As with Jeensernchew's issue there are no errors in OpenSSL but when uploading the cert to the WLC get the following error. [code] The WLC is running version 6.0.196.0. I am using OpenSSL 1.0.0 29 Mar 2010.
When I requested the cert from Thawte I was asked to specify the device type, I chose Cisco, but as all the work and conversion is being done by OpenSSL, should I have chosen differently? When I do this I can load the cert in the 5508, but the controller fails and doesn't allow that VLAN or config access to the wireless network. I am at a loss of why I can load and it not work. I have verified my hostname and password and those are good.
View 1 Replies
View Related
Mar 29, 2006
We currently are using a self-signed cert (for PEAP machine authentication) that was created on an ACS 3.3 appliance. That cert was manually installed on our laptops when they were configured for wireless conenctivity.My problem is, that self-signed cert will soon be expiring and I am not sure what needs to be done to issue a new cert AND deploy it to my Windows XP Pro clients without a service interruption. If possible, I'd like to leverage our exsiting AD infrastructure for this, but I need some direction, and time is of the essence!!
View 2 Replies
View Related
Mar 7, 2012
I have a client that needs to update a certificate on their 2125 controller. They have created a .pfx cert that does not work because of file type. I wanted to see what the best pratice would be for me to follow installing this cert and do I need any additional cert like a CA. I found a document but am not so sure that it is exactly what I need.
AIR-WLC2125-K9 : JMX1248K0EL
System Information
Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 6.0.188.0
RTOS Version..................................... 6.0.188.0
[code]....
View 2 Replies
View Related
Apr 22, 2012
So since my web auth cert is expiring I got it renewed from VeriSign and they sent me back the file. Do I need to again combine the "myprivatekey.pem" file and the new one that I got and then load it on the WLC? Can't find any guidelines and instructions from Cisco on this. Or do I need to go through the whole regenration of CSR process again etc?
View 3 Replies
View Related
Aug 16, 2012
Am I able to use an SSL cert in the proxy list for the same VIP but on a different port?
View 1 Replies
View Related
