Cisco VPN :: Two-factor Authentication Recommendations For ASA 5510
Dec 19, 2012I'm wondering what people are using and/or recommending for two-factor authentication for VPN users on the Cisco ASA platform?
View 6 Replies
ADVERTISEMENT
Cisco AAA/Identity/Nac :: Two Factor Authentication On ACS 4.x / 5.x
Mar 9, 2011I would like to konw does Cisco ACS 4.x / 5.x natively support Two factor authenication, but not act as a Radius Proxy?
View 1 Replies View RelatedCisco VPN :: Two Factor Authentication With ACS 5.1 And Vasco
Jan 2, 2012How two factor authentication can be implemented using cisco acs 5.1 & vasco?
View 1 Replies View RelatedCisco :: ASA 5505 Two Factor Authentication With Certificates?
Jun 2, 2011Has anyone tried to get two factor authentication working with the asa 5505. I have a CA setup and the enrollment emails are being sent out. But when I go to login to the enrollment site at [URL]. I get a page not found.
I would like to have one factor be a username and password and the second factor being a certificate on the device.
Cisco Routers :: SA520 SSL VPN Two Factor Authentication?
Jul 30, 2012Two factor setup with Symantec VIP? I just fined setting it up and VIP Service and SA520 seems to be synchronizing correctly but device doesnt direct VPN users for second authentication ?
View 16 Replies View RelatedCisco AAA/Identity/Nac :: ACS 5.2 TACACS+ And Two Factor Authentication?
May 1, 2013I want to setup two factor authentication via ACS 5.2 TACACS+ without having to use a token (such as that by RSA). Is there a way to do it?
More info:
Users from unconnected AD domains will be connecting to the routers and switches.There is a certificate server available to generate certificates.SSHv2 is the current login protocol.
Cisco Security :: VIP Two Factor Authentication With Either SA520 Or SA540?
May 2, 2012I was very excited to read about the two factor authentication that Cisco and Verisign offer through the VIP and SA500 series routers. I purchased an SA540 a month and a half ago. I have been on the phone with support of both Cisco and Verisign ever since. It appears no one actually knows how to make the product work. Finally I was told that they have only tested it on an SA520. So I bought an SA520; however, it doesn't work either. How to use the Verisign VIP two factor authentication with either an SA520 or SA540? If so, what is the trick? If not, how is Cisco advertising this product if it doesn't actually work?
View 3 Replies View RelatedCisco Firewall :: Setup SSL VPN With Two-factor Authentication On ASA5510 With Software Version 8.0(4)?
Dec 1, 2009I am trying to set up SSL VPN with two-factor authentication on an ASA5510 with software version 8.0(4). I want to use LDAP for actual authentication and user mapping, but require a valid certificate signed by a particular local CA to connect.I have imported the CA's root certificate, signed an identity cert for the ASA box and imported, and assigned the cert ("trustpoint") to the outside interface.Under the connection profile itself (for DefaultWEBVPNGroup), there is an option to select authentication method as AAA, certificate or both. AAA works as expected, authenticating against LDAP. If I select certificate or both, I get rejected with Certificate Validation Failure regardless of if I have a valid signed cert or not. This is what I see with "debug webvpn 100":
webvpn_portal.c:ewaFormServe_webvpn_login[1904]webvpn_portal.c:http_webvpn_kill_cookie[682]webvpn_portal.c:ewaFormSubmit_webvpn_login[1964]ewaFormSubmit_webvpn_login: tgCookie = 0ewaFormSubmit_webvpn_login: cookie = c98f3940ewaFormSubmit_webvpn_login: tgCookieSet = 0ewaFormSubmit_webvpn_login: tgroup = NULLTunnel Group: DefaultWEBVPNGroup, Client Cert Auth Failed!Embedded CA Server not enabled. Logging out the user.webvpn_portal.c:ewaFormServe_webvpn_login[1904]webvpn_portal.c:http_webvpn_kill_cookie[682]
So, it seems the ASA is only trying to check the cert against a (nonexistent) ASA-based CA. How do I get it to check against an external CA cert?Under "Remote Access VPN -> Network (client) Access -> AnyConnect Connection Profiles", I have ticked "Allow Access" and "Enable DTLS". There is also an option "Require client certificate" which doesn't seem to do anything - whether or not I check it, I can connect and authenticate to the VPN with or without signed certs as long as the previous setting is "AAA".
Some highlights from the config:
crypto ca trustpoint ASDM_pfirewall01.company.tld enrollment terminal fqdn pfirewall01.company.tld subject-name CN=pfirewall01.company.is,O=Company,C=IS,L=Reykjavik keypair company crl configurecrypto ca trustpoint ASDM_TrustPoint0 revocation-check crl none enrollment terminal crl configure no enforcenextupdate no protocol ldap no protocol scepcrypto ca trustpoint ASDM_pfirwall01.company.tld revocation-check crl enrollment terminal no client-types crl configurecrypto ca certificate chain ASDM_pfirewall01.company.tld certificate 02 30820598 30820480 a0030201 02020102 300d0609 2a864886 f70d0101 05050030 <snipped rest of cert> quitcrypto ca certificate chain ASDM_TrustPoint0 certificate ca 00e2a6f08003ded6c9 3082054e 30820436 a0030201 02020900 e2a6f080 03ded6c9 300d0609 2a864886 <snipped rest of cert> quitcrypto ca certificate chain
[code]....
Cisco VPN :: ASA 5510 VPN User Authentication
Apr 5, 2011We are changing our old Pix 515e this weekend and for brand new ASA 5510.With this new installation, I would like to implement the Radius authentication for remote vpn user. Changing the firewall of the company has many impact and for the first phase the user will keep authenticating locally but I need that in phase 2, they will be authenticated via a radius server.Is there a way to configure both authentication for remote vpn user?
All user will be authenticated locally except the member of the IT Department who will be authenticated by the radius server for testing.I have remote vpn users around the world so I do not want these users to be blocked by the testing of the radius authentication. What I want is that users in group1 will be authenticated locally on the ASA and users in group2 will be authenticated by the radius. When testing will be done, all users will be transfer to the radius authentication gradually.
Cisco VPN :: 5510 - SSL VPN Certificate Authentication
Aug 1, 2012I'm changing SSL VPN from aaa authentication to both aaa and certs, Server 08 CA, 8.2 ASA 5510, ssl client 2.5.1025 and Windows 7 users. My question is what should be the template of the id cert that I receive from CA. ,
View 16 Replies View RelatedTCP Window Scaling Factor Not Always Set In SYN Request?
Jul 10, 2011I am facing strange behavior in Windows 7 and Windows Vista.I have a client program in my PC and server program outside network.I can see that some time TCP WINDOWS SCALING working and some time not.In first Log after 3 way handshakes established I can see data transfer happening bocs from log I can see it is settings SCALING factor.
But for some cases where I see that connection happened but data transfer not happening (May be my network does not work without Scaling..) I can see my WINSOWS TCP stack has not set SCALING in SYN request.Hence in 2 nd log I can see "Scale factor not supported"...though I enabled SCALING in my WINDOW .
You can see in 2nd log :: [ Win=8192 ( ) = 8192 ] - not settings scaling factor some time.How to fix this issue so that Windows 7 / Vista always set SCALING in SYN request.
My TCP Settings :::
Receive-Side Scaling State : enabled
Chimney Offload State : automatic
NetDMA State : enabled[code].....
Cisco Firewall :: Getting ASA 5510 Radius Authentication
May 17, 2011I have a 5510 authenticating successfully with a RADIUS server. I'm using it for VPN authentication and it works great. I would also like to do this for administrator access to the ASA. When I turn it on though, any authentication for VPN access is also granted administrative access to the ASA. Obviously, I need to limit that to a select few users.
View 1 Replies View RelatedCisco VPN :: 5510 Anyconnect SSL VPN Authentication Failure
Dec 26, 2012I have configured an Asa 5510 as SSL vpn gataway ver 8.2(4) Anyconnect Essential. The clients are authenticated via Radius and OTP password.All work well since yesterday. When I have did same configuration changes. My objective was has that the clients accept the self signed certificate issued by the Asa whitout give the warning about the private cert.
So I have try to generaste a new certificate with FQDN equal to myasa.mydomain.com and also a CN=myasa
Then I have change the profile XML file of my anyconnect in this way: [code]
AAA/Identity/Nac :: ASA 5510 - LDAP Authentication
Mar 2, 2011I have a problem with LDAP authentication. i have an Cisco Asa5510 and windows 2008 R2 server. i create LDAP authentication.
aaa-server LDAPGROUP protocol ldapaaa-server LDAPGROUP (inside) host 10.0.1.30 server-port 389 ldap-base-dn dc=reseaux,dc=local ldap-naming-attribute sAMAccountName ldap-login-password ***** ldap-login-dn CN=user,OU=Utilisateurs,DC=reseau,DC=local server-type microsoft
but when i test, i have an error (user account work directly in server)
test aaa-server authentication LDAPGROUP host 10.0.1.30 username user password *****
INFO: Attempting Authentication test to IP address <10.0.1.30> (timeout: 12 seconds)ERROR: Authentication Rejected: Unspecified
Cisco WAN :: 1811 How Will OSPF And VRRP Factor-in To Such A Setup
Sep 29, 2012I currently have a working metro ethernet connection between our main office and a branch office. I am tasked with building a redundant route for this site, in case the metro-E line goes down. We are purchasing two cable internet lines at each sight and I plan on buying two Cisco routers to do the VPN tunnel via the new cable Internet connection. The metro ethernet connection currently has two HP 3500s on each atm.2 questions:
-How will OSPF and VRRP factor-in to such a setup?
-What Cisco routers are recommended that can utilize this protocol?
The HP 3500s can do either OSPF or VRRP.I have been purchasing and setting up refurbed Cisco 1811 routers for other VPN tunnels and they work great.
Cisco Firewall :: ASA 5510 - Configuration For Authentication With ACS 5.X Server
Dec 30, 2012when we are configuring ASA 5510 8.2(5) for Authenticating with ACS 5.X Server is not authentication fail error.
View 2 Replies View RelatedCisco VPN :: ASA 5510 VPN Authentication With LDAP Password Change
Mar 3, 2013i have following problem. I configured on a Cisco ASA5510 VPN authentication with LDAP. It works fine but one thing doesnt works.If i configure on my Active Directory the user for "User must change Password at next login" the message for password change is coming (look screenshot AnyConnect1), but if the user want to change his password, the password will not accepted by the system(look screenshot AnyConnect2).In the Group Policies on my Active Directory i disabled all features(look screenshot Pic1)I tried all combination for the password, but nothing will accepted.i configured LDAP over SSL and in the Tunnel Group i enabled the password management with "NOtify User 2 days prior to password expiration".
View 3 Replies View RelatedCisco Firewall :: ASA 5510 Server IAS First Authentication Failed
Jun 5, 2011I have a little problem with my ASA 5510 version 8.2(1) with a IAS server RADIUS for strong authentication.
I have configured a double authentication for my client to access SSL portal:
First authentication: AD serverSecondary authentication: IAS for my token SAFENET ALADDIN The server IAS is declared on a W2K3 and it's standard.
The problem I have is that after more than 24hours of unutilization, when i try to log in, my authentication failed the first time and then the other tries work fine as long as I use it in a period of 24hours.
I first thought about the timeout so i tried to put a "timeout" of 15seconds for AD and IAS servers and a "retry intervall" of 3 seconds, it doesn't change much.
Is there a tool/option in the ASA to check connectivity with the radius every 1h for example.
Cisco Firewall :: ASA 5510 - Authentication Based On AD Credentials
Nov 13, 2011What i want to do is simple. Being able for any member of Administrators group to authenticate on our ASA5510 based on the AD credentials.
What is correct CISCO procedure for that?
AAA/Identity/Nac :: Get ASA 5510 To Use CHAP Via RADIUS Authentication?
Jan 13, 2012I've setup my ASA 5510 to use AAA to my Windows Server 2008 NAP. After many hours of troubleshooting I got my setup to work. The only thing I'm not satsified with at the moment is, that RADIUS is using PAP for communicating between ASA5510 and W2K8/NAP.I've tried ticking the box "Microsoft CHAPv2 Capable" box under Users/AAA => AAA Server Groups => Edit AAA Server.From EventViewer on W2K8/NAP I get Event ID 6278 and 6272., see attached filehow I change from the PAP to the CHAP protocol?
PS: ASA 5510 running ASA version 8.2(4) and ASDM version 6.3(5)
Cisco VPN :: ASA 5510 - Group-Lock Not Working With Web VPN And RADIUS Authentication
May 16, 2013I'm on an ASA 5510 running 8.2(5)41. I have clientless WebVPN configured to authenticate against an RSA RADIUS server, which has users assigned to RADIUS Class attribute 25 to match the group-lock values assigned to each ASA group-policy. This of course is to ensure users can only access the login page's drop-down VPN profiles they are assigned to by the RADIUS server. I have two other ASA 5510s (same code level) using the same RADIUS server with group-lock enabled but for IPSec remote access VPN's, and the group-lock feature works fine.
WebVPN, however, is authenticating any user to any VPN profile without regard to the RADIUS Class attribute 25 they are assigned. If I configure the VPN profiles to authenticate locally and assign group-lock to individual ASA user accounts, group-lock works. As soon as I point it back to the RADIUS server, group-lock does nothing. From the 'debug aaa' below for user 'corpvpnstp', you can see the RADIUS server sends back the attribute 25 values of "ou=stp.Client;" and "ou=stp.ClientDRC;" for this user. The ASA profile this user has attempted to connect to is "EMS-Admin", which should get denied by the ASA. Instead, the ASA successfully authenticates the user.
Cisco Firewall :: HTTP Inspect In ASA 5510 Messes Up SVN Authentication
May 13, 2013I have a strange problem in my ASA 5510 firewall. I turned on HTTP inspect policy to block certain URLs, but that destroyed svn communication. Interestingly, if I use simple web-browser to access svn server - it works, but any svn-client requests fail with an error "Could not read status line: An existing connection was forcibly closed by the remote host". I did some packet sniffing, and discovered that with HTTP inspect off the Webbed request is answered, but with HTTP inspect on it is rejected with an error unauthorized. Here are examples of success and failed conversation packets:
Success:
1. <Client-IP> <Server-IP> WEBDAV WEBDAV:Request, PROPFIND /svn/repos/myrepo/trunk {HTTP:3, TCP:2, IPv4:1}
2. <Client-IP> <Server-IP> WEBDAV WEBDAV:HTTP Payload, URL: /svn/repos/myrepo/trunk {HTTP:3, TCP:2, IPv4:1}
3. <Server-IP> <Client-IP> TCP TCP:Flags=...A...., SrcPort=HTTP(80), DstPort=58882, PayloadLen=0, Seq=4139355337, Ack=3464798063, Win=258 (scale factor 0x8) = 66048 {TCP:2, IPv4:1}
4. <Server-IP> <Client-IP> WEBDAV WEBDAV:Response, HTTP/1.1, Status: UNHANDLED HTTP Status Code, URL: /svn/repos/myrepo/trunk {HTTP:3, TCP:2, IPv4:1}
Failure:
1. <Client-IP> <Server-IP> WEBDAV WEBDAV:Request, PROPFIND /svn/repos/myrepo/trunk {HTTP:3, TCP:2, IPv4:1}
2. <Client-IP> <Server-IP> WEBDAV WEBDAV:HTTP Payload, URL: /svn/repos/myrepo/trunk {HTTP:3, TCP:2, IPv4:1}
3. <Server-IP> <Client-IP> TCP TCP:Flags=...A.R.., SrcPort=HTTP(80), DstPort=1137, PayloadLen=0, Seq=1075661931, Ack=4049054406, Win=64240 (scale factor 0x0) = 64240 {TCP:2, IPv4:1}
4. <Client-IP> <Server-IP> TCP TCP:Flags=......S., SrcPort=1138, DstPort=HTTP(80), PayloadLen=0, Seq=1032908784, Ack=0, Win=64240 ( ) = 64240 {TCP:4, IPv4:1}
5. <Server-IP> <Client-IP> TCP TCP:Flags=...A..S., SrcPort=HTTP(80), DstPort=1138, PayloadLen=0, Seq=4184445498, Ack=1032908785, Win=8192 ( Scale factor not supported ) = 8192 {TCP:4, IPv4:1}
6. <Client-IP> <Server-IP> TCP TCP:Flags=...A...., SrcPort=1138, DstPort=HTTP(80), PayloadLen=0, Seq=1032908785, Ack=4184445499, Win=64240 (scale factor 0x0) = 64240 {TCP:4, IPv4:1}
Packet # 4 is an actual differentiators.
I found one mentioning of that error with that assessment: "Older firewall/proxies do not understand the Webbed related HTTP requests for accessing Subversion using HTTP{ URL} in that post But not any useful tips.
Cisco Firewall :: ASA 5510 - Multiple Pools / Group Authentication?
Apr 8, 2011can i have on asa 5510 multiple pools and multiple group authentication for various departments along with restricted access if any
View 3 Replies View RelatedCisco :: Book Recommendations For VRF And Multicast
Mar 6, 2012The topics I'm looking to learn about: VRF,Multicast different VPN types mpls...ect. GRE TunnelsIPS/IDS configuration. I know about the Routing TCP/IP, Volume 1 and Volume 2 by Jeff Doyle.I don't have them, but I'm interested.
View 9 Replies View RelatedCisco WAN :: 1900 New DSL Router Recommendations
May 8, 2013I have a client whom uses a DSL 10 MG circuit as their backup circuit for Internet Connectivity in case of a failure. The circuit uses a DSL modem that is unreliable. I was recommending yesterday tot he client that perhaps we could place a Cisco router in place of the residential grade DSL modem /router currently in place.I wanted to place a 1900 ISR G2 in there, which would allow me to swap the DSL module out whenever I can talk the company into a Metro E connection. At that point I could swap the DSL module out and put an Ethernet module in to receive the Metro E. I was not able to find a solution last night using the Dynamic Configuration Tool. Seems DSL has been phased out.Is there any recommendation that could be made to accommodate this clients request for a Cisco router that will handle DSL?
View 7 Replies View RelatedCisco AAA/Identity/Nac :: ASA-5510 / IPSec Client Authentication Based On AD Group Membership?
Aug 26, 2009Looking to fine tune Cisco IPSec client RA-VPN authentication on our ASA-5510. Currently using NT Domain authentication. It's been working fine for quite a while but is too broad a brush. It authenticates anyone who is in the domain. We need to only authenticate folks who are in a specific AD remote access security group. I'm testing LDAP but am getting the same results. I can get it to authenticate based on overall domain membership but can't seem to figure out how to check group membership.
We've updated to ASA 8.2(1) and ASDM 6.2(1). It seems to have more LDAP functionality but I'm not an LDAP expert. I've posted an image of the LDAP server dialog from the ASDM. I originally tried putting the Group DN in the Base DN field but kept getting a "can't find user" error when testing. I also tried adding the group info in the "LDAP parameters for group search" field at the bottom. But it doesn't seem to be looking there. Note that the current value is the Group Base DN only. I also tried putting "memberOf=" in front of that. Still no luck. The values shown in the image work for simple domain membership.
Cisco Wireless :: Recommendations For Implementing A Second WLC 2100?
Jan 3, 2013We have two 2100 WLC's that support 12 access points. One has been sitting in a box for some time, but we're at the point where we need to add additional access points that will put us in excess of the 12 limitation. What is the best way to go for installing the second WLC?
View 2 Replies View RelatedCisco :: 5508 - Backup And Failover Recommendations
Dec 9, 2012I have two 5508 WLC's setup to run about 200 AP's as the moment. This is a hospital with patient care now running over wireless. I am looking for the best scenario to minimize down time. Currently both controllers are in the same mobility group and I will be setting the primary / secondary controller in the High Availability tab for each AP. Most setting are all default still.
My question:
Would it better to setup the primary/secondary from the global configuration?
Can I leave them in the same mobility group if I use the global configuration?
My only problem so far is having AP's on different controllers caused some response delay as clients move from one controller to the other. I need to find the best possible response time with the lowest possible fail-over time. Any recommondeations or links to a good article on this subject?
Any Recommendations To Get Garage Desktop On Wireless Network
Jun 9, 2011I have been trying to set up a home network to my detached garage office for personal use. I currently have a wireless network in my house but the distance from that router to my detach garage computer is too great to reach by normal, conventional means. The distance is approximately 100 feet through brick, glass, vinyl siding, drywall, etc. I am unable to relocate the router that controls the wireless network due to cabling issues plus I am not sure of the reliability of ethernet cable from the base router to garage. Currently I am running off two modems(one in garage and one in house) but the expense is ridiculous. Do you have any recommendations to get my garage desktop on the wireless network? Powerline adapters? Access Points/Repeater?
View 2 Replies View Related3560 - Filter / Security Appliance Recommendations?
Oct 16, 2012I am looking for recommendations on a device to put at the forefront of our network, mainly for web content filtering. Our network is currently setup as this:We have two Internet providers. One for each network that are physically separate except a a Cisco 3560 which is used for failover. In the event one ISP goes down, one network can use the others ISP, however, it has no access to the other network beyond that switch.Currently, each network has a web content filter (SmartFilter) server which is going end of life in a year. We would like to replace each server with a single box at the front of the network for filtering. Other bonuses would be things such as bandwidth control, virus protection, etc.Perhaps the most important thing is to make sure our ISP bandwidth download speed does not get hampered by the device we choose to put at the front. We have 50mb download on one and 30mb on the other. If the device throttles the download at 10mb then it's useless to us.
View 9 Replies View RelatedIntel Xeon E5600 - SMB Server Recommendations
May 10, 2011If you had to chose between Dell and another OEM manufacturer for a server to be used in a 1-20 user/employee/computer office network, which OEM would you go for? For a long time I have been recommending/selling Dell servers to my SMB clients (mainly the Poweredge T series) and am pretty comfortable working with these servers. However, I'm also a Lenovo business partner and they seem to have some aggressive pricing. Have any of you used Lenovo servers lately? Pros/cons? Warranty support good? I noticed HP is now selling Microsoft software licenses as a kit when you purchase a server, appearing to be discounted, even if you were to buy the licenses separately through a volume agreement.
Also, being that most of my clients in the 1-20 user/employee/computer office environment are looking at their bottom line, how would you configure a new server to run Microsoft SBS 2008 (some using Exchange, others not yet but may in future)? RAID1/5/10? 8GB RAM enough? Intel Xeon E5600 series processor? SATA or SAS drives?
Here is what I would normally build out a server from Dell:
single Intel Xeon E5620 processor
8GB RAM
PERC RAID card configured in RAID1
500GB SATA drives x 2
SBS2008 (I don't have much experience with SBS2011 yet, figured it would be best to let others work out any potential issues first)
Recommendations For Remote Controllable PDU With POTS And RJ45?
Sep 20, 2012We're looking for recommendation of remote controllable PDUs that support a phone line connection for POTS (in case the core router is down and we need to remotely power cycle connected equipment) and RJ45 for control from the network (if the core router doesn't happen to be down).
View 2 Replies View RelatedCisco Switching/Routing :: 6513E Power Supply Recommendations
Jan 25, 2012Just received our new 6513E chassis and I am setting it up in the lab for testing. For prod we would like to run..
1 maybe 2 6704 10 gig cards
3 - 5 6748 cards
1 6724 SFP card
Sup720 setup, possibly upgrading to Sup32's in a few years, Right now for power supplies, I am using 2 WS-CAC-2500W ,But I have to run the supplies in combined mode to get all of the cards online.What power supply should I be looking to purchase for this chassis ?