I've recently installed ssl certificates for our web auth guest interface on our WLC's. I discoverd the they required a Level 2 certificae to work properly. We are getting an untrusted certicate on our 802.1x ssids that authenicate against a 5500 ASA..A certificate was insatlled and has an error, show the certificate as untrusted, my questionis, does the 5500 ASA require a level 2 certifate as well?
View 5 RepliesI work in a lab testing interoperability between Avaya and Cisco VoIP products.I am setting up an environment to test Avaya 96x1 phones with VPN using SCEP going thru an ASA 5510 to a backend IP PBX.
Environment: Windows Server 2008 R2, Enterprise Edition, AD with DNS, NDES Cisco ASA 5510 running 9.0(1)
I would like to setup certificate enrollment between a Windows Server 2008 R2 and a Cisco ASA 5510. Here are the commands that I use for the Cisco ASA 5510:
crypto key generate rsa modulus 2048 crypto ca trustpoint ASA5510-trust enrollment url http://10.129.112.20/certsrv/mscep/mscep.dll enrollment retry period 5 enrollment retry count 3 password Interop123 exit crypto ca authenticate ASA5510-trust crypto ca enroll ASA5510-trust
Everything works as expected until I try to enroll. There is no prompt for the enrollment password and the certificate request is denied.
ciscoasa(config)# crypto ca enroll ASA5510-trust%% Start certificate enrollment ..% The fully-qualified domain name in the certificate will be: ciscoasa.avayasil.avaya.com% Include the device serial number in the subject name? [yes/no]: NoRequest certificate from CA? [yes/no]: yes% Certificate request sent to Certificate Authorityciscoasa(config)# The certificate enrollment request was denied by CA!
Why isn't there a prompt for the enrollment password?BTW, If I set "enforcepassword" to "0" in the Windows registry, then it works.
I have installed a new SSL certificate on our ASA 5500. I removed the old one, installed the new one. And associated the trust points with the interface we use for Web Connect and Any Connect connections.
They are still seeing the old expired certificates. Users can still log in and authenticate but I would rather them see the correct certificate.
When I get the web authentication dialog from 1.1.1.1 it starts of with a certificate error. Is there a way to prevent this certificate error while using the self signed certificate? I have not been successful installing certificates on my WLC - problems with OpenSSL and others. Want to get this deployed but don't want users to have to encouter that error.
View 1 Replies View RelatedI have one 5500 and about 15 Cisco 3502 APs.
The problem is that one of the clients loses the connection to the network time to time ,The error in the WLC logg is
*Dot1x_NW_MsgTask_0: Jul 06 17:42:38.934: %DOT1X-3-INVALID_WPA_KEY_MSG_STATE: 1x_eapkey.c:843 Received EAPOL-key M2 msg has invalid information when mobile is in START state - invalid secure bit; KeyLen 24, Key type 1, client 00:21:6a:af:be:70
Cisco ISE 1.1.1 is given Certificate error while trying to access any of nodes. It is started after adding other nodes in to primary node. Accessing by IP's redirect to other nodes suppose if we accessing primary admin node by IP, it redirect to other nodes (secondary nodes or other nodes).
View 3 Replies View RelatedI just upgraded our AnyConnect package on our ASA5510 from 3.06xxx to 3.1. When I tried to log in to the website to automatically install the client, it showed me a big error saying the Certificate is untrusted and I have to explicitly accept it. After accepting it, I had to restart the installation.Is there a way to disable this strict certificate trust setting? We don't have a valid SSLVPN certificate yet, but this big error will confuse endusers.
View 8 Replies View RelatedWhen I access setup on an RV220W with Internet Explorer, Mozilla or Safari the following message always displays:
"There is a problem with this website's security certificate. The security certificate presented by this website was not issued by a trusted certificate authority. The security certificate presented by this website was issued for a different website's address."
I access the router by clicking on "Continue to this website (not recommended)."
This also happens anytime a URL filter is triggered by a client. I.e., clients do not see the "Blocked by Cisco Firewall" message unless they also click on the "Continue to this website (not recommended)." option.
Even worse, when I attempt to connect as a VPN, the SLLVPN applet gets java connection refused. This is why I bought this thing!
What do I need to do to fix all these certificate related errors?
When I attempt to export the certificate for the quickvpn client via the router web interface, it looks as if the export works, and it asks me to save the zip file. However, upon opening the zip file I receive the error: The compressed folder is invalid or corrupted.
This happens in multiple browsers, from multiple machines.
: %DATACORRUPTION-1-DATAINCONSISTENCY: unterminated string in buffer of length 129, counted: 129 -Traceback= 4027CB2C 402B1E88 4052884C 40528A48 40528D08 40529188 40529358 403247E8 403247D4
Cisco Internetwork Operating System Software
IOS (tm) C5RSM Software (C5RSM-ISV-M), Version 12.2(46), RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2007 by cisco Systems, Inc.
Compiled Thu 26-Apr-07 19:41 by pwade
Image text-base: 0x40010948, data-base: 0x410F41D0
[code]....
I am getting this error on our Cisco 5500 switch. What it means
2012 Sep 13 14:49:37 PDT -07:00 %SPANTREE-2-RX_1QNONTRUNK: Rcved 1Q-BPDU on non-trunk port 3/20 vlan 72
2012 Sep 13 14:49:37 PDT -07:00 %SPANTREE-2-RX_1QPVIDERR: Rcved pvid_inc BPDU on 1Q port 3/20 vlan 72
2012 Sep 13 14:49:37 PDT -07:00 %SPANTREE-2-RX_BLKPORTPVID: Block 3/20 on rcving vlan 72 for inc peer vlan 235
2012 Sep 13 14:49:37 PDT -07:00 %SPANTREE-2-PORTUNBLK: Unblock previously inc port 3/20 on VLAN 72
We find ourselves in a difficult situation with the Cisco VPN Client version 5.0.07.0290 where it keeps giving us an
"Error 42: Unable to create certificate enrollment request"
When we attempt to use the Online enrollment method to create and enroll a new certificate. There is no additional information in the VPN client logs where we have set 3-High for all logs. In addition, Wire shark does not show any packets sent from the machine running the client to the Cisco 3825 router which runs the Cisco CA.
To create and enroll a certificate we do the following:
1. Click on the Enroll button to show the Certificate Enrollment dialog
2. Select Online
3. Select <New> for Certificate Authority
4. Enter http://192.168.120.1 as CA URL (note, 192.168.120.1 is the IP of the Cisco 3825)
5. Click Next to display the dialog where we can enter certificate details
6. Enter details in all fields except IP Address and Domain
7. Click Enroll which shows a dialog with the Error 42 ... message in it.
If we attempt to create a request by using the File method, all works fine, that is, the client creates a file with the enrollment request. The fact that the client does not send any messages to the Cisco CA leads us to believe that we have a problem on the client machine. However, the client does not write any information in the logs, so it is a bit hard to fix the problem. I can provide additional configuration information if required for both the client and the Cisco CA. Note that we have not modified any client configuration. Basically, we installed the client on a Windows 7 64bit machine and attempted the steps listed above.
There is ASA with remote access VPN and users are authenticated using third party signed certificates (CA is not local in ASA).When user certificate expires i can see it in syslog messages. For example:
%ASA-3-717009: Certificate validation failed. Certificate date is out-of-range, serial number: (...)
I would like to know if there is an opportunity to view user's certificate expiry date beforehand, say, 3 days before?
i am working on ISE 1.1.1, surprisingly i couldn't found certificate authority certifiate at certificate operation anymore.
would it be the change on GUI? So now where i can import the CA certificate to ISE?
I had install third party CA cert and device cert into the WLC. I would like to ask is there any command can delete these certificate?
View 2 Replies View RelatedI want to upgrade the WLC 5500 from 7.0.220.0 to 7.3.112.0, coul be any risk if i do the upgrade..?
View 2 Replies View RelatedI have a Cisco 5500 Software Version 6.0.199.4. Today I've been able to succesfully add a few newly purchased 1242G APs to my WC so I know everything is setup properly. They got the proper DHCP info and I was up and running in a few minutes.
I'm now trying the same thing with a newly purchased Air-Lap1262N-a-KP
I can read the bootup because I'm attached to it on the console.I see that it gets the proper IP#
But then I keep getting a "failed to decode the discovery response" error.
[code]....
Have WLC 5508 running 7.4 code; have wlan setup to allow access to internal network. Users on ipads should be able to connect to this wlan and authenticated via certificate instead of PSK. We have setup laptops that are part of domain to use internal CA for authentication to WLAN. Ipads are not part of domain so we are not able to use the same model, or can we use the same model for authentication?How to setup WLC to authenticate ipad users via certificate instead of PSK while connecting to the WLAN?
View 1 Replies View Relatedget a installed certificate work on a 5508 WLC Controller without rebooting. Is there a way? Is it possible to just reload a process to get the certificate work?
View 1 Replies View RelatedI am using webauth and need to install a SSL cert to prevent the "There is a problem with this website's security certificate" message. I have a Wildcard cert that was issued by Network Solutions that I use on a couple web servers I run, and want to know if I can use that for the WLC? It's a pks cert and I think the WLC needs to use a pem cert, so I converted the wildcard to pem. Or do I need to purchase a cert that is not a wildcard and is in pem format?
View 7 Replies View RelatedI have just setup a vWLC for lab purposes and it´s up and running. I have a few used 1131 LAP:s that tries to join the AP but I just get DTLS certificate errors like these:
*Sep 14 13:25:27.229: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
*Sep 14 13:25:27.258: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Sep 14 13:25:36.198: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*Sep 14 13:26:41.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.1.105 (code)
These AP:s (I have tried 2 so far) have earlier been in use connected to a cluster of 5508:s.
Digital certificate on the ACS Wireless network:
Checking the configuration of the Wireless Notebook no longer requires the digital certificate of the ACS and NVR122 NVR123as worked in the past. The certificate is generated for the ACS root CA trusted by the COMPANY, so that the public CA certificate supersedes theprevious ACS. Therefore, any host that is in the field of company would have access to the wireless network. With this, the 8021x is working with a certificate that is common to all hosts in the field of business. How do I change it?
We have a WLC 5500 connected to a 2960 acting as core switch. there is a server attached to the switch , bearing all dhcp pools for lan and wireless users. Can the wlc or the switch be configured in such a way that the wireless users associating to the wlc get their ip addresses from the dhcp pool configured on the server. Can the configuration can be shared for such a setup.
View 5 Replies View Relatedi have a existing wireless network setup in my office existing wlc in 4402 and LAPs are 1130 & 1242 all are working fine but we are now planning to use new 5500 series controllers for the same access points,i want to ask that how i can done this job with very minore downtime and users disconnectivity + zero error results??
View 2 Replies View RelatedOur client have cisco 5500 Wireless lan controllers. They connect to core switch and other ports conenct to various switches on each floor. Then we have cisco AP 1300 series mounted on celing. I was reading that lightweight AP gets config from WLC as soon as they plug in. Need to know how the AP gets config from WLC switches?
View 8 Replies View RelatedI have quick question here does AP BR1310 can be associated with WLC 5500?
View 4 Replies View RelatedI have a Cisco aironet 3502i access point which I am using with a 5500 Wireless Controller. I was configuring the AP for flexconnect and accidentally enabled PPPoE authentication - but never set configured login details for PPPoE. Now when the AP boots up it tries to use PPPoE but fails - it never even looks for an IP address. I have no way to get the AP connected to the controller again.I tried logging into the AP via console, the AP gives me output but I never get a login, even when I hold down the Mode button during startup.I also tried holding the Mode button and waiting for the AP to boot with its default IP (10.0.0.1) and connecting to the AP via telnet, but I was unable to connect or even ping with my PC on the same network configured as 10.0.0.2.What can I do to set this AP back to defaults, to become a normal DHCP client, and reconnect to the wireless controller where I can reconfigure it?
View 9 Replies View RelatedThe 5500 WLC would be the primary and 2500 WLC would be the secondary. The only need for the secondary would be in the event of failure of the primary, and support needs when doing maintenance such as code upgrades.
We would use the same version of code on each controller and apply the necessary amount of AP licenses on each. The controllers would have identical configurations and host multiple SSID's, including offering guest services. Does the 2500 support guest network services?
I have cisco 2504 WLAN controller with 7.4 IOS. My query is can I configure the MAC authentication with certificate based. And without using any external servers like Radius, ACS and LDAP.
May I know, If there is a option on WLC…
I'm trying to connect to my wireless network using an android device with certificate but with no success.I'm using a WLC4402 7.0.235.3 SSID Security (WPA2 Auth802.1X + CCKM) [code]
View 7 Replies View RelatedI am planning to migrate from an old 4400 to a new 5508. I am happy with migrating the access points but I need to know if I can migrate the web authentication certificate used for guests.The new WLC will have the same virtual interface and DNS name to match the CN on the current certificate. Will this work or will I need a new certificate?
View 2 Replies View RelatedI have a cisco wlc 2504 is deploying authentication services to guest users toward a portal web customized and configured. I need to install my certificate verisign (certificate.cer) in to cisco wlc because my users don't like the page no trusted (The wlc is showing me ''There is a problem with this website's security certificate'') when they are trying to access to ssid to users guests.
View 2 Replies View RelatedI’m trying to configure EAP-Fast following the guide [URL].But when I try to download the certificate, I receive the follow message: “Error installing certificate.”At logs I see:
*TransferTask: Sep 27 14:00:09.479: %UPDATE-3-CERT_INST_FAIL: Failed to install Webauth certificate. rc = 1
*TransferTask: Sep 27 14:00:09.479: %SSHPM-3-KEYED_PEM_DECODE_FAILED: Cannot PEM decode private key
- Remembering I’m doing Device Certificate.
My environment is:
WLC 2106 Windows 2003 with AD and CA When I try to use line commands I can’t too.