I got error message when I convert to certificate authencate via tunnel group.
error message: "certificate validation failure"
client prompte me that "your client certificate will be used for authenticate" but none certificate list popup even i disabled "autpmatic certificate selection" preferences.
some information about my configuration :
ASA 8.2(2)4
Anyconnect VPN 2.5.1025
authentication against aaa is working
some key point:
ASA:
ssl trust-point remote.apac outside
There is ASA with remote access VPN and users are authenticated using third party signed certificates (CA is not local in ASA).When user certificate expires i can see it in syslog messages. For example:
%ASA-3-717009: Certificate validation failed. Certificate date is out-of-range, serial number: (...)
I would like to know if there is an opportunity to view user's certificate expiry date beforehand, say, 3 days before?
I have a question its posible to authenticate an cisco phone and PC with the same vlan(voice and data)when i do this configuratión , the phone and pc dont work. The phone display registering and never finished.interface FastEthernet0/5 switchport mode access switchport voice vlan 1 authentication event fail action authorize vlan 11 authentication event no-response action authorize vlan 11 authentication host-mode multi-domain authentication port-control auto authentication periodic authentication violation protect mab dot1x pae authenticator dot1x timeout tx-period 10 dot1x max-reauth-req 3 spanning-tree portfastend.
I'm currently in the process of the setting up a new wireless network and I want to test out our 7925 phones on it. When I try uploading the certificate to the phone it fails and I find the following error in the trace logs
[code]...
I created this certificate using using Windows Server 2003 and it is 2048 bits. This certificate works fine with my laptop but I'm unable to upload it to the phone. The app load currently on the phone is CP7925-MFG-D.8.LOADS. Are there any specific guidelines out there when creating a certificate for a Cisco 7925 phone?
I am trying to install a digi cert on a 7921 and I get the message on import of "certificate verification failed".as there does not seem to be much documentation with the above error message.
Do the problem caused by the modems itself or it just sign of faulty Ethernet switch (using 20 port Allied Telesis ethernet switch). Sometimes I cannot connect to internet due to "unidentified network" buy i can resolve this problem by restarting my modem + switch.
I've configured in an UC520 a SSL VPN.I can access properly and I can see the labels, but I only can access urls which are http, not https:I can access the default ip of the uc520 (192.168.1.10) but When I try to get access to a secure url I get the msg: Failed to validate server certificate I'm trying to access a Cisco Digital Media Manager, whose url is URL Does the certificate of both hardware has to be the same?
I was looking for a way the manually re-authenticate dot1x client from cli and found this: [URL]
"You manually reauthenticate the client by entering the dot1x reauthenticate interface interface-id privileged EXEC command"
I've tried it 2960 with 12.2(58)SE and 15.0(2)SE, but it doesn't seems to be implemented. Have I missunderstood something? Or do you guys have any other command to accomplish a manually re-auth?
I am having a problem configuring SCEP for my secure mobility client. I have created a connection profile to allow certificate requests but when I fill in the step-forwarding-url field I get an error. The CA we are using is an internal MS CA with SCEP already enabled. This has been configured for a long time with our current Cisco VPN client using certificate authentication. The ASA is running 8.4.1.Here is the error I get when I try to enter the command into the group policy associated with my certificate enrollment connection profile: group-policy SSLGP attributes. url...
The IPAD VPN works great over token, radius and local authentication. But now we need to authenticate vpn client via digital certificate (only vpn authentication between client and gateway)? I'm not sure which certificate we should buy to authenticate vpn client.The plan is to install digital certifiacte on VPN Gateway (CISCO ASA 8.0.4) and IPAD Cisco IPSec client to eliminate user/pass authentication.
When I try to export an SSL Certificate for a Client I get a htps . CSR file instead of the .PEM file. So, I can't update the client computer with the correct certificate.
In my test lab I can't to make work my webvpn configuration = I have several components: MS AD, MS CS (but without NDES), router 2911 and client computer. Client and router have a certificate from MS CS. In my configuration I use authentication by certificate or aaa (LDAP) and authentication by aaa working good. But authentication by client certificate doesn't work. And my internal https services don't work also - "Invalid or no certificate", but this strange because I imported CA certificate for this.
My 2911 version: Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.1(3)T, RELEASE SOFTWARE (fc1)
My Config:
aaa authentication login webvpn group ldap local ip local pool webvpn 192.168.200.1 192.168.200.254 bind authenticate root-dn cn=webvpn,ou=staff,dc=domain,dc=com password P@ssw0rd webvpn gateway vpn ip address <ip address> port 4443 ssl trustpoint root-ca
I want to connect with AnyConnect Secure Mobility Client 3.0.2052 to ASA 5540 Version 8.4 and SSL Premium License.The clients using Maschine Certificate to authenticate to ASA. This works fine.Now I want to setup a DAP to verifiy the client against the Microsoft AD using LDAP. I configured LDAP server in ASA see:aaa-server LDAP protocol ldap aaa-server LDAP (inside) host ldap.com ldap-base-dn DC=x,DC=x,DC=x,DC=com ldap-scope subtree ldap-login-password ***** ldap-login-dn ***** server-type microsoft ,I can see that it works if I test the server via the testbotton in ASDM and I see it in CLI "debug ldap 255" also. But if I configure in DAP: AAA Attribute ID:memberOf = DomainMember I can not see any request to the LDAP server during I try to connect with the Client und the DAP doesn't match.
want to connect with AnyConnect Secure Mobility Client 3.0.2052 to ASA 5540 Version 8.4 and SSL Premium License.The clients using Maschine Certificate to authenticate to ASA. This works fine.
Now I want to setup a DAP to verifiy the client against the Microsoft AD using LDAP. I configured LDAP server in ASA see: [code]I can see that it works if I test the server via the testbotton in ASDM and I see it in CLI "debug ldap 255" also. But if I configure in DAP: AAA Attribute ID:memberOf = Domain Member I can not see any request to the LDAP server during I try to connect with the Client und the DAP doesn't match.
I have an environment with SSL termination and client authentication with a client certificate. Now, the backend server application needs to be informed of the client DN information present in the presented client certificate. Is it possible to tell the ACE to send specific client certificate fields to the backen server via insertion of an HTTP header or, to forward the entire client certificate in any way to the backend server ?
When I attempt to export the certificate for the quickvpn client via the router web interface, it looks as if the export works, and it asks me to save the zip file. However, upon opening the zip file I receive the error: The compressed folder is invalid or corrupted.
This happens in multiple browsers, from multiple machines.
ASA 5510 configuration for Csco anyconnect vpn client. Currently ASA is configured for self-signed certificate acces thru anyconnect ssl vpn. So the cert is being generated with every connection (of my understanding, I haven't found any identity certificate on the current configuration, at least on ASDM). Now I need to use a certificate from our local windows CA that we have at the office. I.e. self-signed certs should be changed with another one issued by our local office authority.
1. Generated new rsa key pair on the ASA 2. Generated CSR from identity certificates 3. Applied CSR to the windows CA and generated the certificate
Now I need to understand what is going to happen after I install this certificate on the ASA's identity certificates and apply it to outside interface. Is there anything to be done on the users side to use new certificate? Do they need to download and install the root certificate from the same CA? Do i need to have the root certificate installed on the ASA or identity is enough?
The establishment of IPSEC tunnel between the RV220 and QuickVPN client works properly with the security certificate of origin of the router.RV220 V1.0.3.5QuickVPN V1.4.2.1
Since the establishment of a security certificate self-signed, the RV220 and QuickVPN client refuses to work together .
Here are the log of the QuickVPN client
2011/09/27 12:45:14 [STATUS]OS Version: Windows 7 2011/09/27 12:45:14 [STATUS]Windows Firewall Domain Profile Settings: ON 2011/09/27 12:45:14 [STATUS]Windows Firewall Private Profile Settings: ON 2011/09/27 12:45:14 [STATUS]Windows Firewall Private Profile Settings: ON
I need some clarification with configuring my ASA 5540 with IOS 8.3x for remote client certificate authentication.
I have my root certificate from the Microsoft CA but not quite sure if the outlined steps in the Cisco websites below are exactly what I need since the firewall seems to be generating the certificate to be used. [URL].
My setup is such that the CA will issue certificates to the remote clients and to the ASA firewall, and the remote clients will authenticate and connect with their certificates which the firewall constantly updates using the CRL update from the CA. The dhcp pool is to be issued by the domain controller on the inside network and not on the firewall. Any examples or best practice steps to achieve this.
We find ourselves in a difficult situation with the Cisco VPN Client version 5.0.07.0290 where it keeps giving us an
"Error 42: Unable to create certificate enrollment request"
When we attempt to use the Online enrollment method to create and enroll a new certificate. There is no additional information in the VPN client logs where we have set 3-High for all logs. In addition, Wire shark does not show any packets sent from the machine running the client to the Cisco 3825 router which runs the Cisco CA.
To create and enroll a certificate we do the following:
1. Click on the Enroll button to show the Certificate Enrollment dialog 2. Select Online 3. Select <New> for Certificate Authority 4. Enter http://192.168.120.1 as CA URL (note, 192.168.120.1 is the IP of the Cisco 3825) 5. Click Next to display the dialog where we can enter certificate details 6. Enter details in all fields except IP Address and Domain 7. Click Enroll which shows a dialog with the Error 42 ... message in it.
If we attempt to create a request by using the File method, all works fine, that is, the client creates a file with the enrollment request. The fact that the client does not send any messages to the Cisco CA leads us to believe that we have a problem on the client machine. However, the client does not write any information in the logs, so it is a bit hard to fix the problem. I can provide additional configuration information if required for both the client and the Cisco CA. Note that we have not modified any client configuration. Basically, we installed the client on a Windows 7 64bit machine and attempted the steps listed above.
I have the problem, that when I want to connect to the VPN Gateway (ASA 5510) with the AnyConnect Client 3.0 I will get the error "Failed to load preferences" when I try to connect via the SSL Portal of the ASA, everthing works fine... I have tried to reinstall the Client - without any success.
Windows clients work fine. When loaced from safari in Mac OS, it also works fine. -- If I browse to the url, like vpn.xxx.com/profilename, I can login and anyconnect will start and connect automatically. Only when run from applications > Cisco > Cisco Anyconnect Secure Mobility Client, I will get this failure. Is this a configuration issue?
I am having Cisco 3845 series router with c3900-universalk9-mz.SPA.151-4.M2.bin IOS . I want to install new Licence on it for DATA. When i am trying to install licence on it i am facing the error "% Error: License installation failed with error: XML parsing failed".
We replaced a WLC2106 with a WLC2112 and the 2112 can't authenticate anything. Both WLCs have the exact same configuration on them. We are using a RADIUS server to do MAC authentication. Both WLCs have been set to use no delimiter in the MAC filtering.
When the 2106 is in place, we have no issues and all allowed devices can authenticate without issue. However, when the 2106 is removed and the 2112 is powered up, every single device fails authentication and is put on the exclusion list. When we check RADIUS, it tells us the devices fail because they are locked. We unlock the device's account, and 5 minutes later the 2112 has screwed something up and they are locked again.
Having an issue with Macbook authentication. All Macbooks at this one site, on same switch, going to same RADIUS server, work except for one. Looking at logs it appears server and client never exchange certificates. Attached is log for failed Macbook authentication.
I have been trying to set this up for like 4 hours. What a waste of time. This should be as easy as punching in the IP and password for the radius server. It isn't.I have a brand new SG-300-10. LATEST firmwawre, I just updated it about 5 minutes ago. 1.2.7.6 I think.This is what I have done so far in the GUI: (I have CLI access too if necessary)
Security > RADIUS and entered my radius IP/secret there. Security > Access Management Profiles > Create new template called ALL that permits access to all applications. Set it as active also. Security > Management Access Authentication > For HTTP and SSH
I put RADIUS first then Local second.My radius server works. As I type this message I am logging in via radius with OpenBSD/Centos even Fedora. (If OpenBSD can do it, these switches can do it.)But whenever I try to login with RADIUS credentials to my switch, I get no logs or any connectivity reports on my radius server? Is the switch even attempting to contact the server? The logs dont show anything regarding RADIUS. I am trying a reboot now, but I don't think that should be necessary.Is there a step I missed? When first looking at this I expected it to be done in 5 minutes. I have been on this for lik 4 hours. Isimply want to login to the administration console (web gui) using RADIUS credentials.
I think i've got everything set up to authenticate against AD for Tacacs+ device logins. When i check the logs, i see:"24408 User authentication against Active Directory failed since user has entered the wrong password". This leads me to believe that it is checking AD correctly, however if i enter the password correctly for the same AD user, there is no log at all...no pass, no fail.
If i look at the Tacacs debugs on the switch, i see the following:May 25 10:55:07.927 CDT: TAC+: ver=192 id=874699084 received AUTHEN status = ERRORMay 25 10:55:09.932 CDT: TAC+: send abort reason=Unknown
Obviously the switch is communicating to ACS, and ACS is passing info back to the switch. ACS also appears to be communicating effectively with AD since it knows when i put in an incorrect password for the specific user.
I am trying to connect using officeextend but couldn't . I have managed to connect the officeextend AP to the DMZ WLC however i cant get the users to authenticte to the ACS (although there is a rule to access the access on ports 1813 and 1812). Should the DMZ WLC need the ACS servers (i thought they wouldnt require as they are anchored back to the Internal WLC that the ACS server address
oon a side note, i have'nt created dhcp for hte officeedxtend users - will this cause an issue - (just deciding on to it on WLC or windows server)In-fact i cant even see myself authenticating on the ACS server
we have deployed L3 in-band scenario for wireless 2 years ago and the solution was working without any problem. we have upgrade wireless controller to 5508, since then, when users login to the first page and certified, and they want to browse to the internet, NAC redirects the web page and ask for authenticatin again, despite the users' devices are being shown as certified devices in the list.
We have remote users that dial-in over ISDN to a Cisco 2911. We have configured AAA to pass the authentication off to a RADIUS server. Once successfully authenticated, the router permits the users to access a single web server. However, we need to do some testing in our test environment, but unfortunately we don't have an ISDN line to test with. We have created a little environment in our LAB using a 2911, a switch, a RADIUS server & web server. I was hoping that we could simply create a "user" VLAN off the back of the 2911 to simulate our remote users, and access the web site from the test usr PC's over the LAN. I was hoping that the 2911 would be able to intercept the connection and pass the authentication off to the RADIUS server (as it does with the PPP ISDN traffic). But I cannot find anyway to do this, because I can only configure AAA to offload either PPP traffic or telnet/ssh connections to the router itself.
In summary what I want is for a user to access an internal web site over a LAN interface of a 2911 - but have the 2911 authenticate the user via a remote RADIUS server first. Is there a way to configure a 2911 (or any router!) to do this?Is the answer to configure port-based authentication (802.1X) on the switch?
