Cisco VPN :: AnyConnect 3.0 - No Valid Certificates Available For Authentication
Dec 18, 2012
Recently we updated to the Anyconnect 3.0 client. I see the new 3.1 client is out and we are currently testing it for production. My question though is since updating to 3.0 our end users receive a message at the bottom of their client stating "No valid certificates available for authentication" They can still VPN in since we dont do certificate based authentication but we have been getting tons of questions on this. I would like to stop these messages from appearing and I am not sure if its just how the new client behaves or if its something configured on our ASA's.
View 1 Replies
ADVERTISEMENT
Sep 25, 2011
I'm looking for samples about anyconnect 2.x with PKI authentication through ASA 8.x and ACS 5.2.The CA could be a internal Microsoft CA.
View 8 Replies
View Related
Mar 5, 2012
Does changing the device certificate for AnyConnect Connection Profiles break any established AnyConnect connections, or is it transparent to the users?
View 1 Replies
View Related
Oct 31, 2012
I have an SSL VPN set up on my ASA 5520 with a self signed cert. When I run the AnyConnect install on my desktop machine I have click through a few windows to accept the certificate. When I connect through the mobile client on Android, the connection goes right through without a prompt to import/choose/download a certificate. I'm able to connect but I'm wondering if the phone has actually recieved a certificate. I'm in the 'Advanced Connection Editor' screen and the certificate setting says "Automatic".
View 2 Replies
View Related
Jun 2, 2011
Has anyone tried to get two factor authentication working with the asa 5505. I have a CA setup and the enrollment emails are being sent out. But when I go to login to the enrollment site at [URL]. I get a page not found.
I would like to have one factor be a username and password and the second factor being a certificate on the device.
View 4 Replies
View Related
Jun 7, 2012
I have a Cisco 4506 With IOS 12.2 54SG1
Iam new on Acs 4.2 and i want to use Certificates to authenticate my windows XP Client and Igels.
On Windows Xp i selected : IEEE 802.1X Authentication enable EAP (Peap)
But i dont understand the Certification of ACS 4.2.
I generated a Self-Signed Certificate. Is this right ? and under installed Certificates the Certificate Status is okay.
Do i have to create for each windows Machine one user Account under user-Setup to authenticate the Machine?
Where do Windows Xp know whitch Certificate he have to take ?
I configures the Switch on Global Configuration like this:
aaa authentication login default group tacacs+ enable
aaa authentication enable default group tacacs+ enable
[Code].....
Iam triying to configure ist szenario till 4 days and it still dont work.. On Windows i Only get the Error" authentication failed" on the Switch the same : dot1x : Authfailed
View 3 Replies
View Related
Apr 25, 2010
A PC with a machine cert gets connected to a switch running 802.1x. The switch uses EAP with .1x to query PC, handing this off to ACS, that bit I'm ok with. The ACS needs to query the CA server to authenticate the PC, its this process I'm not sure about.
Reading the documentation I think that I need to configure LDAP between the ACS and the CA, which is running on 64-bit 2008 server. But, ACS SE remote agent is 32 bit only.
Is this correct, if so how do I get ACS SE to communicate with a 64-bit 2008 CA server?
View 8 Replies
View Related
Sep 17, 2012
I'm working on task to update the SSL certificate for an application. steps to upgrade the SSL, stuffs need to be checked before and after the installation and how to verify the new certificates.
View 1 Replies
View Related
May 8, 2007
I am an IT professional that is installing my first extended range wireless AP in my companies warehouse. I am very excited!
Now I have set up many a linksys and repeater wireless networks, so when I was looking into the Aironet 1240AG I thought ?No Problem!?
And at first, it is not!
I have the AP and antenna set up here in my office before I take it out and mount it in the warehouse. And I can get connected to it, no security for now, no filters, I just want to connect and make it work.
I stay connected for maybe 3 minutes, I can get to the internet, I can ping all my servers. Full connectivity. But then for no reason the connection fails and I cannot reconnect.
The error I get in the log is
Interface Dot11Radio0, Deauthenticating Station 0006.2510.bbe3 Reason: Previous authentication no longer valid
So strange! So I have reset the AP to factory defaults and then set the SSID, and I can connect, again for a second, then nothing.
I have tried with multiple wireless cards, even laptops. Thinking maybe the problem was on the computer side.
View 12 Replies
View Related
Sep 19, 2010
I have been configuring anyconnect VPN. The requirement from customer is to configure MAC address based authentication for anyconnect clients. I have gone through various cisco documents. I couldnot find this option explained. Is MAC address based authentication possible in anyconnect vpn without having AAA server in place?There is an option to select end point attribute as MAC address, while creating Dynamic access policies. But at the host scan configuration of Cisco secure desktop, there are no options for performing MAC retrieval.
My ASA is running on version 8.2(1) and ASDM version 6.3(1) and a memory of 512 MB RAM. Any way for MAC based authentication in cisco anyconnect VPN.
View 3 Replies
View Related
Mar 3, 2013
I have a query regarding MAC authentication for end systems on ASA 5520. Inspite of proving MAC address in endpoint authentication along with AAA, only AAA attribute policies are getting created. MAC authentication is not happening.
Is there any requirement like LDAP or AD is required for MAC authentication?
View 1 Replies
View Related
Dec 20, 2012
I am doing a proof of concept with anyconnect and certificate authentication. with 3.0 i was able to do this with a certificate from my CA and a client cert in a smartcard. I have upgraded to 3.1 and now it doesnt work anymore ( i need 3.1 and Asa 9.0 because of IPv6 Split-tunneling).Reading the forum i got some info that the ASA cert must have a EKU value of 'Server Authentication' and the client cert must have a similar EKU (client Auth)
View 4 Replies
View Related
Jan 17, 2012
I would like to configure RADIUS authentication and authorization in ASA 8.2 (ADSM 6.2) by configuring Cisco anyconnect VPN client connection profile.So the end result would be user enters his username, password and a token in any connect client, then the RADIUS server validates this information and sends the user attributes to ASA upon successful authentication.I would be grateful if i can get the step by step procedure to achieve this:The below is what iam trying to do:
1) Create an AAA server group.
2) Add the AAA server to this group (here its RADIUS).
3) create an LDAP-cisco ASA group mapping (for authorization)
3) Add a group policy and create IP pool. (We can add two types of group policies, one is internal and external. Not sure which one to select here).
4) create a any connect vpn client connection profile. Here we specify the created server group name, IP pool and group policy.(While creating a connection profile, it asks us to select an interface. As of now i have only one interface which is "inside". Not sure what the interface "outside" means).
View 5 Replies
View Related
Dec 26, 2012
I have configured an Asa 5510 as SSL vpn gataway ver 8.2(4) Anyconnect Essential. The clients are authenticated via Radius and OTP password.All work well since yesterday. When I have did same configuration changes. My objective was has that the clients accept the self signed certificate issued by the Asa whitout give the warning about the private cert.
So I have try to generaste a new certificate with FQDN equal to myasa.mydomain.com and also a CN=myasa
Then I have change the profile XML file of my anyconnect in this way: [code]
View 1 Replies
View Related
Jul 8, 2012
I have an ASA 5520 and I am having trouble getting the AnyConnect VPN authentication timeout feature to work properly. I thought I did have it working a couple of months ago, but right now it is not giving me more than the default 12 seconds. I have tried intervals of anywhere from 25 seconds up to 120. I am currently runnign version 6.4 on the ASA and AnyConnect 2.5.3055.
View 8 Replies
View Related
Nov 28, 2011
I can't seem to find any documentation to how to get this working. I'm trying to make it so that only users of a certain AD group are authenticated for my Anyconnect VPN on my ASA 8.2.2
I've found the documentation on how to prevent logins using the msNPAllowDialin attribute, but not how to base it on group membership (memberOf) [code] I need to do any kind of restrictions inside the actual group-policy TESTGROUP ?
View 2 Replies
View Related
May 29, 2012
I have a need to utilize two factor authentication using a machine certificate and users AD crednetials. What we would like to do is to have the ASA and AnyConnect verify the certificate exists, check against our in house CA for validity, if valid pass the user credentials to the AD servers and establish the tunnel. If not valid quarantine the session and pop a message to the user to contact the help desk ASAP. My guess is the following (using ASDM 6.6, ASA 8.6.1, ASA 5545-X):
1. under the connection profile I have select BOTH for authentication and added a AAA server group.
2. under Cert Management I have added the 3 certs that are present on all company mobile assets
- Cert America
- Cert Europe
- Cert Root
3. I have an identity cert installed from the company CA and it is selected as the device cert under connection profiles
4.Local Cert Authority is Disabled
5.Under Remote Access>Advanced>Certs for AnyConnect>
- I have mapped DefaultCertifiateMap pri 10 to Company_Cert connection profile
- The mapping is looking for Subject: CN: <Contains> (string) ----where string is a common component of each Cert listed in #2.
Question #1 - Is this correct for utilizing certs and AD auth or have a missed any steps?
Users are directed to a an initial installation URL - where the AnyConnect client performs the installation and passes down the intial AC profile which auths using only AD creds. On subsequent connections users who pass the certificate mapping check are migrated to the connection profile which uses the dual authentication method.
Question #2 - When I attempt a new installation of AnyConnect using the two factor URL . I receive an error "certificate validation error" and the installation fails - for the life of me I can not figure out why???? The machine has all three certs, using IE9 as the browser.
View 3 Replies
View Related
Jan 22, 2012
I want to connect with AnyConnect Secure Mobility Client 3.0.2052 to ASA 5540 Version 8.4 and SSL Premium License.The clients using Maschine Certificate to authenticate to ASA. This works fine.Now I want to setup a DAP to verifiy the client against the Microsoft AD using LDAP. I configured LDAP server in ASA see:aaa-server LDAP protocol ldap aaa-server LDAP (inside) host ldap.com ldap-base-dn DC=x,DC=x,DC=x,DC=com ldap-scope subtree ldap-login-password ***** ldap-login-dn ***** server-type microsoft ,I can see that it works if I test the server via the testbotton in ASDM and I see it in CLI "debug ldap 255" also. But if I configure in DAP: AAA Attribute ID:memberOf = DomainMember I can not see any request to the LDAP server during I try to connect with the Client und the DAP doesn't match.
View 2 Replies
View Related
Jan 25, 2012
I'm trying to set up vpn with ASA 8.2(5) and Anyconnect 3.0.4235. The goal is to force user to connect from registered machines only (winXP & win7 x32 and x64). To do this, I used machine certificates issued by own CA. Certificate is installed in machine store. I use double authentication (aaa & certificates). Everything works fine, AnyConnect browses cert store, ASA validating machine certificate, then user is prompted for username/password and finally if all is correct - connection is established.My problem is, that for new installation (new host), AnyConnect fails at first connection attempt. If I use aaa authentication only, connection is established, but if I use aaa & certificates - connection fails. The appropriate .xml profile is predeployed at client host asa well as machine and root certificates.Important: When first try (aaa auth) succeded, others are always OK (with aaa. certificate or aaa & certificate authentication). Only the first one fails.The goal is to succesfuly establish connection with aaa & cert.
With DART i get:
******************************************
Type : Error
Source : acvpnagent
Description : Function: CTransportWinHttp::WinHttpCallback
File: .CTransportWinHttp.cpp
Line: 2150
[code]....
Certificate is valid for sure, and as I mentioned before, if first use aaa only, the second try is OK. At ASA with debug crypto ca 255 can't see any certificate from client.
View 3 Replies
View Related
Jul 7, 2011
Any instructions to configure an ASA to allow authentication by certificate only on an AnyConnect vpn?I'm running an ASA 5505 with 8.4(1) and AnyConnect 2.4.7030 on an Android phone.I currently have the AnyConnect client connecting ok using username / password for authentication.
I have loaded the company root certificate (internally generated) into the ASA "CA Certificates" and generated an Identity Certificate for the ASA.
View 1 Replies
View Related
Jul 13, 2011
want to connect with AnyConnect Secure Mobility Client 3.0.2052 to ASA 5540 Version 8.4 and SSL Premium License.The clients using Maschine Certificate to authenticate to ASA. This works fine.
Now I want to setup a DAP to verifiy the client against the Microsoft AD using LDAP. I configured LDAP server in ASA see: [code]I can see that it works if I test the server via the testbotton in ASDM and I see it in CLI "debug ldap 255" also. But if I configure in DAP: AAA Attribute ID:memberOf = Domain Member I can not see any request to the LDAP server during I try to connect with the Client und the DAP doesn't match.
View 3 Replies
View Related
Nov 6, 2012
I have been successfully able to setup Cisco AnyConnect VPN on ASA 5520 with 8.4 code. I have set it to authenticate against the RADIUS Server (Microsoft Windows 2008 NPS server). I have noticed one thing, on the server under "Constraints and Authentication Method". I picked MS-CHAP-v2, but it is considered Less secure authentication methods. I can click on Add and choose other Authentication methods like Smart Card or other Certificate, PEAP, EAP-MSCHAP v2. I picked PEAP but then the VPN does not work.
So first of all does it really matter if I just leave it to MS-CHAP-v2? Because from my understanding is that AnyConnect will authenticate to ASA and then ASA in the backend talks to the RADIUS server so from a security stand point this scenario shouldn't it be sufficient as no un encrypted or less secure information is available to the outside world? Secondly is there any documentation on using PEAP with Cisco AnyConnect?
View 4 Replies
View Related
Aug 27, 2012
I have access to an ASA running 8.4 and I need to copy the config to another one, to have it has as a spare.All configuration has coppied fine except for this part in the config;
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=GS2-NT-FIR-01
proxy-ldc-issuer
crl configure
[code]....
So firstly, I assume this certificate is for the SSL vpn that is configured on the ASA? Secondly, this wouldn't copy across (the HEX part). But I believe this ASA is using a self signed cert so instead I probably ned to generate a new one on this spare ASA, so how do I do that?
View 3 Replies
View Related
Aug 8, 2011
I am delving into the world of Certificates and the ASA. I am having the HARDEST time grasping this though. I've poured over Cisco whitepapers, been reading through books and things just aren't solidifying in my head. So my question is, how do Certificates for SSL work on the ASA? Where does the data transmit and how does an ASA talk to a CA and User for things?
Lets do this basic topology for the discussion:
End User------SSL VPN---> ASA--->Internal CA
So in theory we are supposed to create a certificate and install it on the ASA and then set the outside interface to trust that cert?
How do identity certs and root certs also work out on the ASA? I have instructions that pretty much say
Create RSA key
Create new trustpoint
cry ca auth newtrustpoint
cry ca enroll newtrustpoint
cry ca import ?
So what are all of these steps specifically doing? Also in ASDM it shows a normal Certificate and an Identity Certificate. I can't really figure out the difference between the two. Does one cert talk to the CA and the other identify the ASA to the CA?
View 7 Replies
View Related
Aug 16, 2012
My ASA's have the follwing Versions: ASA Version 8.4(3) ASDM Version 6.4(7)Have I a chance to configure a site-to-site tunnel with a hostname as peer address when I will use Identity and CA Certificates?
View 2 Replies
View Related
Dec 5, 2011
I want to use a different certificate by connection profile. Is-it possible on ASA 8.4 ?
My first certificate is for vpn.itcom.fr associated to one connection profile and my second is for vpn.newitcom.fr associated to a second connection profile.
View 2 Replies
View Related
Jan 31, 2012
I have generated request and our CA server gave us two files, one is certificate from CA itself, one is the certificate CA created for the ACS. I used the "Bind CA Signed Cerficate" under "local certificated"Option to bind the latter. it shows successful.and a web access from any pc will give you error info, "that the security certificate presented by this website was issued for a different website's address." And all the while I dont know how to deal with the other file, which is "Internal CA certificates" I was try to use the first option import server option, but it seems not right,
View 1 Replies
View Related
Mar 10, 2008
I have configured MS CA and i setup vpn client and ASA 7.0 to make tunnel with certificates.Same configuration does not work with ASA 8.0 I get error
CRYPTO_PKI: Checking to see if an identical cert is
already in the database...
CRYPTO_PKI: looking for cert in handle=d4bb2888, digest=
b8 e5 74 97 f3 bf 25 1c 2e e5 21 3e d1 93 d6 15 | ..t...%...!>....
CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND
CRYPTO_PKI: Cert not found in database.
[code]....
Why the key usage is invalid? What certificate template must be used in MS CA in order to get a regular key usage?
View 3 Replies
View Related
Sep 4, 2012
I have an ASA5540 running 8.4(3) which has CA and identity certificates from godaddy.com installed, identifying the ASA to VPN remote users (the are using the anyconnect client.) There is also a separate certificate server located on the inside LAN that is used for internal purposes. All client workstations have identity certs from this internal server.
We would like to be able to continue using the existing godaddy CA/identity certs to identify the ASA to the clients, but we'd like to use the internal CA server to identify the clients when they initiate the AnyConnect session to the ASA.
I have seen other postings that state you cannot have more than one vert on an interface, but this is a little different - only one cert needs to be used to identify the ASA. The other one is only to identify the users. The ASA did allow me to import the internal CA cert.
View 4 Replies
View Related
Jan 19, 2012
Which certificates do I install on the ASA 5510 ???
I have a Trust External CA Root, Trust Server CA, Extended Validation Secure Server CA and the name of the domain all ending in CRT. Yet the instructions only refer to two certificates ?
View 2 Replies
View Related
Feb 10, 2011
I want to use multiple cert (enterprise certs and verisign cert) for authentication in wireless.Users that have their computer in the domain should use EAP-TLS and PEAP (verisign) are for users in the domain but on non-domain computers.I can only enable one certificate in system adminstration->local server certificates-> local certificates to use EAP.I have installed both enterprise and verisign cert in the CA store in User and Identy store and enbled the enterprise cert for EAP-TLS.The EAP-TLS connection works fine when the enterprise cert is enabled for EAP (in local certificates) but PEAP does not. If I enable EAP on the verisign cert in local certificates the enterprise cert get EAP disabled and that authentication stops working av PEAP starts working.
Is the ACS5.2 only able to have one certificate enabled at the time for EAP?
View 10 Replies
View Related
Oct 6, 2011
I've tried to piece this together with SSL Remote Access VPNS, Understanding PKI and the Cisco's ASA 5500 Series Chapter 73 Configuring Digital Certificates. Below is a basic config I use to create the CA and ID certs on ASAs. I use the ASA as the CA server. When I export the SSL trust point it doesn't show chaining from the CA. Since there is no chaining when I load the CA certificate in the Root Store I still an SSL Certificate error. Instead I have to load the SSL Trustpoint Certificate.
CREATE CA
crypto ca server
smtp from-address admin@Cisco.local
lifetime ca 3650
lifetime certificate 3650
lifetime crl 24
[code]....
I originally thought it was a problem with enrollment self in the trustpoint, but I cannot figure out the steps to complete enrollment terminal. I got to the steps of crypto ca enroll Identity_Certificate and displayed the certificate request. At that point the sh crypto ca trustpoint Identity_Certificate is pending enrollment. I can not find the command for the CA that allows trustpoint enrollment. If I try to crypto ca export Identity_Cetificate identity-certificateit says trustpoint not enrolled. Of course if I take the enrollment request and attempt to crypto ca import Identity_Certificate certificate it fails because it's not the cert.
View 3 Replies
View Related
Apr 23, 2011
We're looking to deploy a certificate-based VPN solution for users with mobile devices (iPhone, iPad, and Android devices at minimum).We currently have CheckPoint firewalls (with VPN capabilities, currently unused), SonicWall, and Aventail devices at our disposal, but would not be against adding new equipment if the solution is secure, easy to deploy, and easy to manage.We want to use client certificates for authentication, though we currently have no infrastructure in place for such a thing.I'm looking for starting points/reference documents to learn to deploy:
* Certificate infrastructure, including a secure and manageable way to deploy certificates to devices, and revoke them if devices are lost or stolen.
* VPN concentrator configuration guides (whether it be Cisco or one of our existing VPN-capable devices).
View 2 Replies
View Related
