Cisco VPN :: No Password Prompt From ASA 5500 For Certificate Enrollment?
Apr 11, 2013
I work in a lab testing interoperability between Avaya and Cisco VoIP products.I am setting up an environment to test Avaya 96x1 phones with VPN using SCEP going thru an ASA 5510 to a backend IP PBX.
Environment: Windows Server 2008 R2, Enterprise Edition, AD with DNS, NDES Cisco ASA 5510 running 9.0(1)
I would like to setup certificate enrollment between a Windows Server 2008 R2 and a Cisco ASA 5510. Here are the commands that I use for the Cisco ASA 5510:
crypto key generate rsa modulus 2048 crypto ca trustpoint ASA5510-trust enrollment url http://10.129.112.20/certsrv/mscep/mscep.dll enrollment retry period 5 enrollment retry count 3 password Interop123 exit crypto ca authenticate ASA5510-trust crypto ca enroll ASA5510-trust
Everything works as expected until I try to enroll. There is no prompt for the enrollment password and the certificate request is denied.
ciscoasa(config)# crypto ca enroll ASA5510-trust%% Start certificate enrollment ..% The fully-qualified domain name in the certificate will be: ciscoasa.avayasil.avaya.com% Include the device serial number in the subject name? [yes/no]: NoRequest certificate from CA? [yes/no]: yes% Certificate request sent to Certificate Authorityciscoasa(config)# The certificate enrollment request was denied by CA!
Why isn't there a prompt for the enrollment password?BTW, If I set "enforcepassword" to "0" in the Windows registry, then it works.
View 1 Replies
ADVERTISEMENT
Feb 21, 2011
We find ourselves in a difficult situation with the Cisco VPN Client version 5.0.07.0290 where it keeps giving us an
"Error 42: Unable to create certificate enrollment request"
When we attempt to use the Online enrollment method to create and enroll a new certificate. There is no additional information in the VPN client logs where we have set 3-High for all logs. In addition, Wire shark does not show any packets sent from the machine running the client to the Cisco 3825 router which runs the Cisco CA.
To create and enroll a certificate we do the following:
1. Click on the Enroll button to show the Certificate Enrollment dialog
2. Select Online
3. Select <New> for Certificate Authority
4. Enter http://192.168.120.1 as CA URL (note, 192.168.120.1 is the IP of the Cisco 3825)
5. Click Next to display the dialog where we can enter certificate details
6. Enter details in all fields except IP Address and Domain
7. Click Enroll which shows a dialog with the Error 42 ... message in it.
If we attempt to create a request by using the File method, all works fine, that is, the client creates a file with the enrollment request. The fact that the client does not send any messages to the Cisco CA leads us to believe that we have a problem on the client machine. However, the client does not write any information in the logs, so it is a bit hard to fix the problem. I can provide additional configuration information if required for both the client and the Cisco CA. Note that we have not modified any client configuration. Basically, we installed the client on a Windows 7 64bit machine and attempted the steps listed above.
View 2 Replies
View Related
Mar 4, 2012
I've recently installed ssl certificates for our web auth guest interface on our WLC's. I discoverd the they required a Level 2 certificae to work properly. We are getting an untrusted certicate on our 802.1x ssids that authenicate against a 5500 ASA..A certificate was insatlled and has an error, show the certificate as untrusted, my questionis, does the 5500 ASA require a level 2 certifate as well?
View 5 Replies
View Related
Feb 21, 2012
I have installed a new SSL certificate on our ASA 5500. I removed the old one, installed the new one. And associated the trust points with the interface we use for Web Connect and Any Connect connections.
They are still seeing the old expired certificates. Users can still log in and authenticate but I would rather them see the correct certificate.
View 9 Replies
View Related
Oct 3, 2012
I'm wondering if anyone knows to set up the switch so that when I'm connecting via SSH, the switch doesn't prompt for a username if I supply one in the initial connect request? For example, we usually connect by typing something like the following at a command prompt:
ssh johndoe@10.10.10.10
Then the switch would prompt for a password. I've tried this on the Cisco SF302 but it still prompts for a username, and then the password.
View 7 Replies
View Related
Dec 4, 2012
How to find the password through lan or cmd
View 2 Replies
View Related
Jan 30, 2013
I'm using netgear cg3000d and i want to change my password. But my default gateway IP doesn't prompt a log in, only an error message.
I've tried restoring the browser to presettings, clearing the cache, and using chrome, and firefox.
I think i should be logging into admin gui for the router
View 1 Replies
View Related
Feb 6, 2013
I recently configured a cisco 3750 switch for a stand alone network here at work, and on all our other switches and routers we use ACS to access everything. This switch being a stand alone I dont have that option.
So being like that I have to create everyone in the shop a username and password. Is there a way to prompt the user to change their password on their first login like you would with windows or such?
View 1 Replies
View Related
Dec 21, 2012
We currently have a client that uses the IPSec VPN Client to remote in to their PIX 501. When they connect, it secures communication and immediately connects/minimizes and the tunnel-group name/password is sufficient so no prompt for a username/password from a local/radius database.
When setting this up on a newly purchased ASA, a username/password is prompted every time they try to connect. Is there a way to eliminate this feature or a command in the tunnel-group or group policy so that a username/password is not required after the connection profile establishes the VPN? It is ASA 8.4.
View 2 Replies
View Related
Feb 17, 2012
I know a little bit about computers but I am having problems trying to connect to the internet that I cannot figure out. I connected the Ethernet cable to the back, it lit up, but it still says Local area connection doesn't have a valid IP configuration.
View 1 Replies
View Related
Jan 29, 2013
I have a ASA 5520 which is intended to use as a VPN for clients using PDA, I think the PDA is a very old product that the VPN only support CHAP/ MS- CHAP, but seems it cannot connect the VPN, it will prompt "invalid username and password" (but in fact the username and password is valid when using PAP), below is the log i captured from the ASDM when the PDA is connecting the VPN. when i tried to connect it in windows PC, I also have the same issue if the VPN setting is using MS-CHAP, if I choose PAP, it can connect with no problem. But the PDA has no option of PAP. [code]
View 0 Replies
View Related
Jan 9, 2011
I just purchased a used 1242AG which is running Version 12.4(13d)JA.I tried the mode button on power on holding for 2-3 seconds, but nothing happens and Cisco/Cisco login does not work. I have figured out if I hold the mode button in for 30 seconds while powering up I get an AP prompt.I tried doing a dir flash but get permission denied.Is their any commands I can run at AP prompt to attempt to reflash this unit or reset password somehow?
View 7 Replies
View Related
Jan 12, 2011
How do configure win2008 server to bring up a password prompt box when access via a workgroup pc on lan.
View 1 Replies
View Related
Apr 25, 2011
Disable Prompt for password when computer resumesfrom standby for win 2003 serverunder
View 1 Replies
View Related
May 5, 2012
How to get rid of Username Password prompt for VPN user connecting to computer with guest access on shared folders?If a VPN user types any word in the user name and hits enter without password, it gets in and sees shared folders, but I want this prompt to be disabled.
View 1 Replies
View Related
Apr 12, 2011
For weeks guest access to my e3000 worked fine. Today I have a friend come over, his XP connects to the guest wi-fi, but his computer does not get a prompt for a password.
View 6 Replies
View Related
Aug 14, 2005
When trying to do a cut-n-paste enrollment of a cisco 3725 router with a microsoft windows server 2003 CA i get the following error on the CA.Certificate Services denied request 8675 because The request subject name is invalid or too long. 0x80094001 (-2146877439). The request was for OID.1.2.840.113549.1.9.2=rtr31slied3.unit4agresso.com. Additional information: Error Constructing or Publishing Certificate This is when i use the router or webserver certificate.The only template that does work is the user certificate but then you get error messages that the router name doesnt match the cert name.The 3725 is running ios version 12.3(14)T3.How can we get the right templates to work ?
View 3 Replies
View Related
May 14, 2013
is there anyway to configure a certificate between the wireless AP and clients to secure my username and the password.
my setup is WLC5508/AP1142/ACS5.4
View 6 Replies
View Related
Jan 30, 2012
There is ASA with remote access VPN and users are authenticated using third party signed certificates (CA is not local in ASA).When user certificate expires i can see it in syslog messages. For example:
%ASA-3-717009: Certificate validation failed. Certificate date is out-of-range, serial number: (...)
I would like to know if there is an opportunity to view user's certificate expiry date beforehand, say, 3 days before?
View 3 Replies
View Related
Oct 19, 2012
i am working on ISE 1.1.1, surprisingly i couldn't found certificate authority certifiate at certificate operation anymore.
would it be the change on GUI? So now where i can import the CA certificate to ISE?
View 5 Replies
View Related
May 11, 2011
There's something funky going on with my prompt for a pair of multiple context ASAs. In the system execution space I have the following command:
View 6 Replies
View Related
Sep 7, 2012
Almost new switch giving error: %%Low on memory Try again later.This is a 2960 48pt lanbase image.I can't get a console prompt, telnet in or anything, it is however switching packets OK. [code]
View 1 Replies
View Related
Jan 13, 2013
in my run promt i can only run cmd.other commands are not worked
View 1 Replies
View Related
Jul 16, 2012
I have AP which is not connected to switch.I console it and it gives error unable to to get IP from WLC.Need to know is there any way that i can go to command prompt of this AP without getting IP from WLC? I tried control + c etc it does not go to command prompt.
View 8 Replies
View Related
May 30, 2011
My PS3 recently got stolen. I was informed that the detective assigned to my case can contact Sony with the serial# and MAC address to track it down.I realize that there is this way:" If all you have is the serial number SCEA would need the MAC address, and only SCEJ has the "master list" of serial number to MAC address comparison. All SCEA would need from your local PD is an affidavit request / warrant (whatever their specific agency prefers to use or call them) asking SCEA to acquire said information."However, I also realize that I can find my MAC address through command prompt on my windows. However, there are more than one MAC addresses (or physical address as referred on the command prompt). My Question is, how do I know which one is the same as my PS3 MAC address?
There are these choices:
Wireless LAN adapter Wireless Network Connection 2:
Wireless LAN adapter Wireless Network Connection 2:
Ethernet adapter Local Area connection
Ethernet adapter Bluetooth Network Connection
View 2 Replies
View Related
Aug 17, 2012
how to send a file using command prompt ?
View 1 Replies
View Related
Jul 21, 2012
i there any way to send tje file using command prompt option for sending a file if we have the ip address of the person to whime we want to sand the file
View 1 Replies
View Related
Jan 9, 2012
Having issue with WLC 5508 using ACS 5.2 tacacs+ protocol to do device management.The problem statement is after key in the username and password on the WLC login page, it is endlessly prompt for authentication on WLC. Whilst on ACS monitoring and reporting i able to see it is successfully authenticated, shown at AAA protocol > TACACS+ Authentication.On ACS, the shell profile for this is setting role1 , value = ALL.
View 3 Replies
View Related
May 28, 2013
We have a pair of ASA running 8.0 (old) version. The way we create outbound rules is done through ASDM and when we need to open outbound connections to a server in the internet, we create named object with IP address configured manually.But practically , this doesnt work, since the server is a server name which can resolve to multiple addresses. Everytime the server chagnes its IP the ASA rule needs to be updated.Is there a difference if we add rules through CMD prompt as against ASDM where we need to enter IP addresses?
View 3 Replies
View Related
Mar 5, 2012
I have some problem with WS-C4006 Cisco Catalyst that LMS doesn't collect and put into "never collected" area. I also see that those devices doesn't show the classic prompt ">" and "#". Could be the main problem ? If yes how can configure LMS to recognize a different prompt for devices.
View 1 Replies
View Related
Jan 25, 2013
Recieved this unit from an individual who has very little knowledge (like myself) with the 800 series.
I'm having issues just getting into this device, when I power it on and console into the unit i am presented with an "Access Verification" prompt that requires credentials that I do not have/know.
At some point (not sure how) I managed to get to a "yourname#" prompt at which point I configured using this document here and created a username and password and some other basic settings, I saved the config and did a reload and it takes me right back to that "Access Verification" prompt.
Sould I be using the CCPE to gain access to this device instead? Is there a way to recover that "Access Verification" username and pass? How did I ever get to that "yourname#" prompt?
View 7 Replies
View Related
Jun 5, 2013
I don't have a USB to serial adapter handy, and was wondering if had success breaking to the Rommon prompt during system reload (boot sequence) using the USB console on a Cisco 1941 router?
View 4 Replies
View Related
Feb 9, 2011
My Verizon USB connection to the internet, suddenly stopped connecting to napster. Prompt says: "Server is unavailable at this time." No one at Verizon has a clue about fixing the problem, which Napster says is a Verizon connection problem..What to do??
View 1 Replies
View Related
