Cisco VPN :: Cut-n-paste Cert Enrollment With MS 2003 CA?
Aug 14, 2005
When trying to do a cut-n-paste enrollment of a cisco 3725 router with a microsoft windows server 2003 CA i get the following error on the CA.Certificate Services denied request 8675 because The request subject name is invalid or too long. 0x80094001 (-2146877439). The request was for OID.1.2.840.113549.1.9.2=rtr31slied3.unit4agresso.com. Additional information: Error Constructing or Publishing Certificate This is when i use the router or webserver certificate.The only template that does work is the user certificate but then you get error messages that the router name doesnt match the cert name.The 3725 is running ios version 12.3(14)T3.How can we get the right templates to work ?
View 3 Replies
ADVERTISEMENT
Apr 11, 2013
I work in a lab testing interoperability between Avaya and Cisco VoIP products.I am setting up an environment to test Avaya 96x1 phones with VPN using SCEP going thru an ASA 5510 to a backend IP PBX.
Environment: Windows Server 2008 R2, Enterprise Edition, AD with DNS, NDES Cisco ASA 5510 running 9.0(1)
I would like to setup certificate enrollment between a Windows Server 2008 R2 and a Cisco ASA 5510. Here are the commands that I use for the Cisco ASA 5510:
crypto key generate rsa modulus 2048 crypto ca trustpoint ASA5510-trust enrollment url http://10.129.112.20/certsrv/mscep/mscep.dll enrollment retry period 5 enrollment retry count 3 password Interop123 exit crypto ca authenticate ASA5510-trust crypto ca enroll ASA5510-trust
Everything works as expected until I try to enroll. There is no prompt for the enrollment password and the certificate request is denied.
ciscoasa(config)# crypto ca enroll ASA5510-trust%% Start certificate enrollment ..% The fully-qualified domain name in the certificate will be: ciscoasa.avayasil.avaya.com% Include the device serial number in the subject name? [yes/no]: NoRequest certificate from CA? [yes/no]: yes% Certificate request sent to Certificate Authorityciscoasa(config)# The certificate enrollment request was denied by CA!
Why isn't there a prompt for the enrollment password?BTW, If I set "enforcepassword" to "0" in the Windows registry, then it works.
View 1 Replies
View Related
May 26, 2013
I have a new ASA 5505 we have in production the same model.
So I copy and paste the same config bot ASA have the same IOS version 8.4(3)
But the VPN is not working. is because of this ? ikev1 pre-shared-key *****
When I copy paste the config the pass is still like this ****.
How can I copy my config to the new device withouth introduce the pass again.
View 6 Replies
View Related
Feb 21, 2011
We find ourselves in a difficult situation with the Cisco VPN Client version 5.0.07.0290 where it keeps giving us an
"Error 42: Unable to create certificate enrollment request"
When we attempt to use the Online enrollment method to create and enroll a new certificate. There is no additional information in the VPN client logs where we have set 3-High for all logs. In addition, Wire shark does not show any packets sent from the machine running the client to the Cisco 3825 router which runs the Cisco CA.
To create and enroll a certificate we do the following:
1. Click on the Enroll button to show the Certificate Enrollment dialog
2. Select Online
3. Select <New> for Certificate Authority
4. Enter http://192.168.120.1 as CA URL (note, 192.168.120.1 is the IP of the Cisco 3825)
5. Click Next to display the dialog where we can enter certificate details
6. Enter details in all fields except IP Address and Domain
7. Click Enroll which shows a dialog with the Error 42 ... message in it.
If we attempt to create a request by using the File method, all works fine, that is, the client creates a file with the enrollment request. The fact that the client does not send any messages to the Cisco CA leads us to believe that we have a problem on the client machine. However, the client does not write any information in the logs, so it is a bit hard to fix the problem. I can provide additional configuration information if required for both the client and the Cisco CA. Note that we have not modified any client configuration. Basically, we installed the client on a Windows 7 64bit machine and attempted the steps listed above.
View 2 Replies
View Related
Sep 1, 2012
I don't know how to copy / paste the ip config so I ss'd it:(url) internet provider is RCN, I have AVG and Malwarebytes installed, I've tried disabling them both and didn't fix it! Anyways my internet was working fine, until one day it just suddenly stopped working. We have multiple computers hooked up to the network (5) and all work except mine. This same problem happened to my sister's computer, she has almost the same model as mine. We fixed it by switching it to wireless, but I was wondering if there was any way around that. It's a HP Pavilion. The box thingie lights up green and everything. I can access the other computers through the network, it's just the internet that won't work.
View 3 Replies
View Related
Nov 18, 2011
My Win 7 shows 2 network adapters in device manager...in my Acer ao 722 net book. My desktop has XP and only shows one adapter..I believe one of the adapters in the Acer net book is wireless ( being a new machine ) and the desktop is an older pc with a wired adapter. Could i copy the wireless adapter and paste it into my Desktop, to enable wireless connections? Obviously, we are not talking about actual cards, they are all integrated into the Motherboard.
View 2 Replies
View Related
Feb 28, 2012
I have 100+ 3750's that are running various IOS, some stacked and some not, and all seem to have the same problem.If I attempt to paste a configuration into the terminal session I get booted after about 10 to 15 lines. This happens when using SSH and Telnet. Telnet will go a little further before I'm booted. After I'm booted it sometimes takes a minute before I can log back into the switch. Any issues pasting configs into a 3750 via a VTY session?
View 4 Replies
View Related
Apr 1, 2013
I installed a chained SSL cert on our anchor/guest 4402 a few years ago.We now have a need to replace the 4402 w/ a 5508, and I got everything configured, ready to go, except that darn cert.I can no longer locate the private key that was used to sign the original CSR.Is there any way to export the current cert from the 4402, so that I can import to the 5508? Or am I SOL?
View 3 Replies
View Related
May 1, 2013
I am wanting to use a cert signed by a digicert or verisign on my ASA so that anyconnect doesn't frreak out with the untrusted cert. I have created the CSR, and I uploaded the certificate, but it is still showing the old self signed untrusted cert.
View 5 Replies
View Related
Dec 5, 2011
how to install a wildcard certificate with only the .cer file. I've found quite a few things here in the forums, but everyone seems to also have a pkcs12 file, which I do not.
This is an ASA 5510 on ver 8.4.
View 6 Replies
View Related
Oct 14, 2012
I know that CSRs cannot be generated with multiple names, but if the SAN is added after the cert is ordered from Geo Trust, Veri sign, etc. can the CSS support using the cert?
View 1 Replies
View Related
May 29, 2012
I have a need to utilize two factor authentication using a machine certificate and users AD crednetials. What we would like to do is to have the ASA and AnyConnect verify the certificate exists, check against our in house CA for validity, if valid pass the user credentials to the AD servers and establish the tunnel. If not valid quarantine the session and pop a message to the user to contact the help desk ASAP. My guess is the following (using ASDM 6.6, ASA 8.6.1, ASA 5545-X):
1. under the connection profile I have select BOTH for authentication and added a AAA server group.
2. under Cert Management I have added the 3 certs that are present on all company mobile assets
- Cert America
- Cert Europe
- Cert Root
3. I have an identity cert installed from the company CA and it is selected as the device cert under connection profiles
4.Local Cert Authority is Disabled
5.Under Remote Access>Advanced>Certs for AnyConnect>
- I have mapped DefaultCertifiateMap pri 10 to Company_Cert connection profile
- The mapping is looking for Subject: CN: <Contains> (string) ----where string is a common component of each Cert listed in #2.
Question #1 - Is this correct for utilizing certs and AD auth or have a missed any steps?
Users are directed to a an initial installation URL - where the AnyConnect client performs the installation and passes down the intial AC profile which auths using only AD creds. On subsequent connections users who pass the certificate mapping check are migrated to the connection profile which uses the dual authentication method.
Question #2 - When I attempt a new installation of AnyConnect using the two factor URL . I receive an error "certificate validation error" and the installation fails - for the life of me I can not figure out why???? The machine has all three certs, using IE9 as the browser.
View 3 Replies
View Related
Apr 15, 2013
I am basically looking to install the wildcard on the outside interface for my ASA
View 1 Replies
View Related
Sep 24, 2012
I have a cisco 5508 WLC that I have setup WebAuth on and trying to install the certificate on. I have generated the csr and gotten my cert from Verisign (X.509, server platform=apache). I have followed the instruction via the cisco documentation url...I found an error in uploading and find out how to encrypt mykey: url...
I am also having exactly the same issue with a certificate from Thawte. I followed the unchained guide and have tried both with and without a password in the initial step key generation step, requesting a new cert each time. As with Jeensernchew's issue there are no errors in OpenSSL but when uploading the cert to the WLC get the following error. [code] The WLC is running version 6.0.196.0. I am using OpenSSL 1.0.0 29 Mar 2010.
When I requested the cert from Thawte I was asked to specify the device type, I chose Cisco, but as all the work and conversion is being done by OpenSSL, should I have chosen differently? When I do this I can load the cert in the 5508, but the controller fails and doesn't allow that VLAN or config access to the wireless network. I am at a loss of why I can load and it not work. I have verified my hostname and password and those are good.
View 1 Replies
View Related
Mar 29, 2006
We currently are using a self-signed cert (for PEAP machine authentication) that was created on an ACS 3.3 appliance. That cert was manually installed on our laptops when they were configured for wireless conenctivity.My problem is, that self-signed cert will soon be expiring and I am not sure what needs to be done to issue a new cert AND deploy it to my Windows XP Pro clients without a service interruption. If possible, I'd like to leverage our exsiting AD infrastructure for this, but I need some direction, and time is of the essence!!
View 2 Replies
View Related
Jan 21, 2013
I've seen a bunch of discussions on the untrusted server cert error with self signed certs. But I have a valid wildcard that I use on my ASA. How do I make that work with out the untrusted server cert error?
View 5 Replies
View Related
Mar 7, 2012
I have a client that needs to update a certificate on their 2125 controller. They have created a .pfx cert that does not work because of file type. I wanted to see what the best pratice would be for me to follow installing this cert and do I need any additional cert like a CA. I found a document but am not so sure that it is exactly what I need.
AIR-WLC2125-K9 : JMX1248K0EL
System Information
Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 6.0.188.0
RTOS Version..................................... 6.0.188.0
[code]....
View 2 Replies
View Related
Apr 22, 2012
So since my web auth cert is expiring I got it renewed from VeriSign and they sent me back the file. Do I need to again combine the "myprivatekey.pem" file and the new one that I got and then load it on the WLC? Can't find any guidelines and instructions from Cisco on this. Or do I need to go through the whole regenration of CSR process again etc?
View 3 Replies
View Related
Aug 16, 2012
Am I able to use an SSL cert in the proxy list for the same VIP but on a different port?
View 1 Replies
View Related
Oct 20, 2012
We are currently evaluating ISE and I am stuck with the PEAP authentication (with Server side Cert).Our current setup consists of two 5508 controllers, 30+ access point. For authentication we are using PEAP with (server side Cert). We have an IAS server which is also acting as a CA server. We are using Cisco’s NAM as a supplicant on Windows XP & 7 workstations. I would like to use ISE for authentication. I would like to use PEAP with Server side Cert (similar setup like IAS). I want ISE to perform the same function in addition to profiling etc.....
I was able to integrate ISE with Active Directory but could not get it working with PEAP (server side Cert). I would also like to know if they used Microsoft’s CA server or Open SSL CA server or a third party CA server (Go Daddy, VeriSign etc.)Can you we ISE as a CA server just the way we used Microsoft’s IAS Server as a CA Server?
View 8 Replies
View Related
Nov 30, 2011
I have ACS4 and i am planning to upgrade to ACS5.I would like to have such a rules:I have user1, one ASA device which is VPN concentrator for remote users.ASA have two different tunnel-groups: one which allow for logging via certificate (with mandatory pki authorization thru ACS) with disabled Xauth,and second tunnel-group with allow login thru typical Xauth with authorization thru ACS which users external database (RSA Tokens).So i have one user1 which can login thru VPN using RSA tokencode or certificate.For example: on phone user1 uses certificate, and on PC station the same user1 uses token password.For tunnel-group with pki authorization ASA checks username in ACS and in typical scenario login="CN from certificate" and password="CN from certificate". So we would need "two credentials" for the user - one for pki authorization, and second one external database (RSA token).Is such scenatio possible under ACS 5 ? where one user uses different credentials based on tunnel-group usage ?
View 2 Replies
View Related
Sep 14, 2011
I have a LAN with 6 PCs and a DELL Poweredge 2900 running SBS 2003. I have a NAS device but am having trouble setting it up. The device is a INNS04-4200. When I connect it to the ethernet cable (and I've tried 3 that were ok with other devices) the NAS software can't see the storage device and I can't work out how to get on to it using a browser.This is a link to the manual: url...The NAS has had a factory reset, but I can't work out how to connect to it to name it etc?
View 19 Replies
View Related
Mar 13, 2012
How is it possible to use OWA / SSO with Webvpn? I'm already configure the bookmark as below
Configuration -> Remote Access VPN -> Clientless SSL VPN Access -> Portal -> Bookmarks -> Add/Edit your Bookmarks URL:
Advanced Options: Post
destination : URL : 0 username : <yourdomain>CSCO_WEBVPN_USERNAME password : CSCO_WEBVPN_PASSWORD SubmitCreds : Login trusted : 0
But it didn't work. The users are authenticated using LDAP.
View 2 Replies
View Related
Aug 23, 2012
I am trying to lab up an ACS5.2 with windows 2003 AD for PEAP authentication. But my ACS does not join the AD and throws an error "can not resolve network address". But when i do an nslookup on ACS CLI , the same domain wireless.abc.com is returning with the IP address of my AD. I think i am missing something in windows AD/DNS configs here as i am not a windows AD expert.
1) My AD domain is wireless.abc.com. In my DNS, i have a zone called wireless.abc.com. and i have added "New Host" in that DNS zone with the "name" as blank and providing IP address of my AD (AD and DNS are on same windows installation) . Is this the right way to do ?
2) I should be entering "wireless.abc.com" in the ACS active directory domain name field and do test connection. right ?
View 15 Replies
View Related
Feb 27, 2011
I am in the process of setting up an ACS evaluation that will authenticate against a Windows 2003 AD. I am currently testing this with AAA TACACS+ but will evenutally setup 802.1x authentication. My problem however seems to be between the ACS and AD.
I have the AD External Identity store configured and successfully tested for connectivity. I created a shell profile and a command set and also created an access ploicy for Device Admin. I added the AAA commands to my test switch and do get prompted for username and password. This is where my issue starts. Regardless of what username and passwword I enter, I always fail authentication. At least that is what is in the reports and I have 0 hits on my Access and Authorization policy rule. I am using as basic as a config as I can get with simply using a contains from one of the groups I am in for the policy rule. I had a non-AD admin account to start with thinking maybe a rights issue with the AD account but have moved to an AD admin account with no change in the results. I saw a post somewhere that the time stamps on the AD server and the ACS had to almost be perfect and recommended that NTP for ACS be the AD server as that could cause issues and I have done that as well with no change. I am wondering if there is something specific I needed to configure or something I missed between the ACS and the AD? Is there a way I can display what is passed back and forth between the ACS, or the switch, and AD to verify content? I put a call into my local SE and he is as puzzled as I am.
View 1 Replies
View Related
Nov 14, 2011
Is it possible to use Server 2003 SMB with IAS WITHOUT a certificate? So someone with a laptop could get on the WLAN with their AD credentials without me giving them a cert?
View 13 Replies
View Related
Mar 14, 2013
I'm currently in the process of replacing SBS 2003 x 64 on my Poweredge 2900 server. I would prefer to upgrade to Windows 7 x 64, but would do XP in a pinch.
View 4 Replies
View Related
Jul 20, 2011
our 2003 server is desktop without wireless but it still shows "WAN" connected along with "LAN" connected when I open "view network connections" window. How is that possible?
View 6 Replies
View Related
Sep 18, 2011
How do I disable ICF In windows 2003
View 1 Replies
View Related
Sep 14, 2012
I can't remote to server 2003. On the server, the Enable Remote Desktop is gray out with a check mark. On the remote assistance it is not gray out with a check mark. when Remote desktop connection from a workstation here is the message error.Remote desktop can't connect to the remote for one of these reason.
1)Remote access to the server is no enabled
2)The remote computer is turned off
2)The remote computer is not available on the network.
Make sure the remote computer is turned on and connected to the server, and that remote access is enabled.
View 3 Replies
View Related
Jul 23, 2011
i have server 2003 sp2 with "AD " , every thing was working just fine until yesterday the server goes down i cannot ping the "server"or its ip from any PC and i cannot ping any thing from the server only it can ping itself "localhost ,server, 192.168.1.1, 127.0.0.1 " when the problem happens it checked the server and the ipconfig was chenged to :
192.168.1.1
255.255.255.0
192.168.1.254
127.0.0.1
8.8.8.8
the DNs server was changed ! now my server is clean and i reconfig my dns server but no dns is working in my network the AD server or the DSL router/
View 10 Replies
View Related
Feb 20, 2012
How to update windows 2003 from a CD.
View 2 Replies
View Related
Jun 26, 2012
We're having problems access 'our own' externally hosted website with SBS 2003. I know this is commonly a DNS issue, but I cannot for the life of me get to the bottom of this. The site is hosted on a web host
Here are the facts:
- SBS 2003 w/single NIC. D-LINK DIR-655 router.
- DNS internally is handled by SBS, DNS forwarders set in order: 208.67.222.222, 208.67.220.220 (OpenDNS Servers)
- Trying to browse website from the SBS server or any other machine on network
- Gateway is router (192.168.1.1)
- Trying to access our own web site, hosted by a 3rd party. Trying both example.com and www.example.com - Both are simply redirected to search pages.
- Trying to get to OTHER websites hosted on this same IP also fail
Problem description:
1 - Website works fine outside this network (i.e., from my house, other sites)
2 - Pinging example.com resolves to correct IP and responses are received
3 - Nslookup resolves correct IP
4 - Trace resolves correct IP and completes successfully
Troubleshooting steps:
1 - ipconfig/flushdns
2 - Restarting DNS service on SBS 2003 server
3 - Adding host entry for the domain/IP
4 - Restarted SBS 2003 server
5 - Adding forward lookup zone for example.com > adding A record for www pointing to IP
View 19 Replies
View Related