Mobile Device VPN With Certificates
Apr 23, 2011
We're looking to deploy a certificate-based VPN solution for users with mobile devices (iPhone, iPad, and Android devices at minimum).We currently have CheckPoint firewalls (with VPN capabilities, currently unused), SonicWall, and Aventail devices at our disposal, but would not be against adding new equipment if the solution is secure, easy to deploy, and easy to manage.We want to use client certificates for authentication, though we currently have no infrastructure in place for such a thing.I'm looking for starting points/reference documents to learn to deploy:
* Certificate infrastructure, including a secure and manageable way to deploy certificates to devices, and revoke them if devices are lost or stolen.
* VPN concentrator configuration guides (whether it be Cisco or one of our existing VPN-capable devices).
View 2 Replies
ADVERTISEMENT
Oct 2, 2012
I'm having an issue with intermediate certificates from GoDaddy when connecting from some browsers of mobile devices:Browser in Android 2.3.3;Safari in iOS 4.2.1;Chrome 18 in Android 4.0.In a PC there's no problem, only from the above mobile devices. The intermediate certificate isn't downloaded from the ACE 4710 resulting in a "SSL Certificate Not Trusted" error.Since GoDaddy has no instructions to resolve the issue from a Cisco ACE.
View 6 Replies
View Related
Oct 31, 2012
I have an SSL VPN set up on my ASA 5520 with a self signed cert. When I run the AnyConnect install on my desktop machine I have click through a few windows to accept the certificate. When I connect through the mobile client on Android, the connection goes right through without a prompt to import/choose/download a certificate. I'm able to connect but I'm wondering if the phone has actually recieved a certificate. I'm in the 'Advanced Connection Editor' screen and the certificate setting says "Automatic".
View 2 Replies
View Related
Sep 17, 2012
I'm working on task to update the SSL certificate for an application. steps to upgrade the SSL, stuffs need to be checked before and after the installation and how to verify the new certificates.
View 1 Replies
View Related
May 16, 2013
I have been sitting on the fence waiting and just using the crappy Apple find my phone, and activesync with exchange server 2010. Other than disable activesync for users without company provided phones because we do not want to get into the whole wiping someone's personal phone if they should misplace it/leave the company.I just read today that Spiceworks 7 (7 beta 1 will be in late May) will have MDM because of using MaaS360. There will be some free basic stuff or for a premium you can add on to it.
View 9 Replies
View Related
Jun 18, 2012
My desktop PC don't have the opportunity to make sync between the computer and my phone, (Samsung Galaxy SII ) via Wi-Fi. There is no Wi-Fi in my Desktop PC, and I use cable to the Internet.so that they can talk to each other via Wi-Fi connection.
View 3 Replies
View Related
Nov 7, 2012
My client has a PC that can use a SIM card to gain access to the internet. They have an ASA5540 and are running IPsec VPN.
When accessing the VPN while the PC connects to the internet via use of the SIM card, he connects successfully to the VPN but is unable to access anything on the internal network. If he connects to the internet using wireless or wired, he connects successfully to the VPN and is able to access everything on the internal network.
Is this a limitation of the Cisco VPN Client? Perhaps something missing in the configuration? Or do they still require the mobility license (though I thought that was only for AnyConnect)?
View 1 Replies
View Related
Sep 19, 2011
Basically the internet connection on my PC will freeze when my mobile phone (HTC Desire) connected to the same network via WIFI is near the pC. If I remove the phone into another room the connection un freezes. If I switch the connection on the phone to the mobile network the problem never arises!
View 4 Replies
View Related
Sep 21, 2011
How can i connect my wifi mobile with my wireline broadband which i am using on my pc
View 3 Replies
View Related
Dec 5, 2011
How to connect secured wifi network to mobile device
View 1 Replies
View Related
Apr 29, 2013
I HAVE A 3 YEAR OLD DELL STUDIm O 1747 (YEP IT WAYS A TON), AND AFTER I start up the ole computer and Icon comes on a bit later in the desktop tray that says "mobile broad band not found. I am quite sure it came with the Original Operating system (windows 7). and I have been considering reinstalling the operating system provided by Dell which I still have for Windows 7....Which is a hasslel the last resort...I tried doing a recovery on the system but I will be damed if I can remember the password even though the computer boots up and I get my display window every time..
View 4 Replies
View Related
Jan 3, 2013
I have dell xps l501x with embedded 5620 mobile broadband mini card. Vz access manager says that device is disabled. How can I fix. Or in device bad and have to replace?
View 4 Replies
View Related
Mar 19, 2013
I have an ASA5540 running AnyConnect premium (25 users). I know that I need the AnyConnect Mobile license in order to use an AnyConnect client on the IPADs/Iphones. My question is - can I do clientless SSL VPN? Do I need the AnyConnect Mobile license for this?
View 3 Replies
View Related
Apr 26, 2011
I have a E6410, install sim card, load and start Mobile Broadband Manager and it say me an error "Mobile Broadband Device not found"
I already download and install Wirless Mobile Broadband Drivers, both of them (5620 and 5540 mini card) i realy dont understand how to determine which of them installed in my laptop.
View 4 Replies
View Related
Jul 19, 2012
We are conduction a Proof Of Concept (PoC) on Secure Bring Your Own Device ( BYOD ) using Cisco ISE and gonna test all the scenarios like Wired, Wireless and VPN user access.
Our Setup has ISE VM acting as Admin, Monitor and Profiling Device, we have NAC 3315 physical Appliance as Inline posture Device, Wireless LAN controller, Access point and the Identity source as Microsof Active Directory.Having Plans to Integrate Mobile Device Management ( MDM ) and Citrix VDI setup also.
As of now we have tested the Wired Scenario Authentication and authorization for guest users and gonna carry out the profiling and posture.
-MDM can be integrated to ISE ?
-How the MDM can be integrated to Cisco ISE configuration or Guide to show the same?
-What is the demarcation between MDM and ISE ( i.e. What is the role of ISE and MDM on Mobile Devices ) ?
-If MDM is available so then when the control of ISE ends, does MDM do management or ISE will do management of the devices ?
-Is MDM will do client provisioning or ISE should do ?
-Is MDM send or update patches of Mobile Devices ?
View 5 Replies
View Related
Jun 14, 2012
How may I find out if on my XPS 17 702X I have installed a mobile broadband device?
Tried on Device Manager and nothing found but when I checked Radio Control Options via Wiindows Mobility Center, on the Radio Control Options
the Mobile Broadband option is mentioned but without possibility of thicking it! Also when I go via Dell Mobile Broadband Manager The msg "The mobile broadband device is not found.
View 1 Replies
View Related
Aug 9, 2011
I need to change providers from Verizon to AT&T. This modem came with the AT&T Sim card installed in my notebook. The software (Dell Mobile Broadband Utility Help) says " Choose Network Selection from the Settings Menu. Select AT&T and click Load." Unfortunately, Network selection is not an option.
How do I do it? This modem is compatible with Verizon, AT&T and Sprint networks.
View 1 Replies
View Related
Aug 27, 2012
I have access to an ASA running 8.4 and I need to copy the config to another one, to have it has as a spare.All configuration has coppied fine except for this part in the config;
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=GS2-NT-FIR-01
proxy-ldc-issuer
crl configure
[code]....
So firstly, I assume this certificate is for the SSL vpn that is configured on the ASA? Secondly, this wouldn't copy across (the HEX part). But I believe this ASA is using a self signed cert so instead I probably ned to generate a new one on this spare ASA, so how do I do that?
View 3 Replies
View Related
Aug 8, 2011
I am delving into the world of Certificates and the ASA. I am having the HARDEST time grasping this though. I've poured over Cisco whitepapers, been reading through books and things just aren't solidifying in my head. So my question is, how do Certificates for SSL work on the ASA? Where does the data transmit and how does an ASA talk to a CA and User for things?
Lets do this basic topology for the discussion:
End User------SSL VPN---> ASA--->Internal CA
So in theory we are supposed to create a certificate and install it on the ASA and then set the outside interface to trust that cert?
How do identity certs and root certs also work out on the ASA? I have instructions that pretty much say
Create RSA key
Create new trustpoint
cry ca auth newtrustpoint
cry ca enroll newtrustpoint
cry ca import ?
So what are all of these steps specifically doing? Also in ASDM it shows a normal Certificate and an Identity Certificate. I can't really figure out the difference between the two. Does one cert talk to the CA and the other identify the ASA to the CA?
View 7 Replies
View Related
Aug 16, 2012
My ASA's have the follwing Versions: ASA Version 8.4(3) ASDM Version 6.4(7)Have I a chance to configure a site-to-site tunnel with a hostname as peer address when I will use Identity and CA Certificates?
View 2 Replies
View Related
Dec 5, 2011
I want to use a different certificate by connection profile. Is-it possible on ASA 8.4 ?
My first certificate is for vpn.itcom.fr associated to one connection profile and my second is for vpn.newitcom.fr associated to a second connection profile.
View 2 Replies
View Related
Jan 31, 2012
I have generated request and our CA server gave us two files, one is certificate from CA itself, one is the certificate CA created for the ACS. I used the "Bind CA Signed Cerficate" under "local certificated"Option to bind the latter. it shows successful.and a web access from any pc will give you error info, "that the security certificate presented by this website was issued for a different website's address." And all the while I dont know how to deal with the other file, which is "Internal CA certificates" I was try to use the first option import server option, but it seems not right,
View 1 Replies
View Related
Mar 10, 2008
I have configured MS CA and i setup vpn client and ASA 7.0 to make tunnel with certificates.Same configuration does not work with ASA 8.0 I get error
CRYPTO_PKI: Checking to see if an identical cert is
already in the database...
CRYPTO_PKI: looking for cert in handle=d4bb2888, digest=
b8 e5 74 97 f3 bf 25 1c 2e e5 21 3e d1 93 d6 15 | ..t...%...!>....
CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND
CRYPTO_PKI: Cert not found in database.
[code]....
Why the key usage is invalid? What certificate template must be used in MS CA in order to get a regular key usage?
View 3 Replies
View Related
Sep 4, 2012
I have an ASA5540 running 8.4(3) which has CA and identity certificates from godaddy.com installed, identifying the ASA to VPN remote users (the are using the anyconnect client.) There is also a separate certificate server located on the inside LAN that is used for internal purposes. All client workstations have identity certs from this internal server.
We would like to be able to continue using the existing godaddy CA/identity certs to identify the ASA to the clients, but we'd like to use the internal CA server to identify the clients when they initiate the AnyConnect session to the ASA.
I have seen other postings that state you cannot have more than one vert on an interface, but this is a little different - only one cert needs to be used to identify the ASA. The other one is only to identify the users. The ASA did allow me to import the internal CA cert.
View 4 Replies
View Related
Jan 19, 2012
Which certificates do I install on the ASA 5510 ???
I have a Trust External CA Root, Trust Server CA, Extended Validation Secure Server CA and the name of the domain all ending in CRT. Yet the instructions only refer to two certificates ?
View 2 Replies
View Related
Feb 10, 2011
I want to use multiple cert (enterprise certs and verisign cert) for authentication in wireless.Users that have their computer in the domain should use EAP-TLS and PEAP (verisign) are for users in the domain but on non-domain computers.I can only enable one certificate in system adminstration->local server certificates-> local certificates to use EAP.I have installed both enterprise and verisign cert in the CA store in User and Identy store and enbled the enterprise cert for EAP-TLS.The EAP-TLS connection works fine when the enterprise cert is enabled for EAP (in local certificates) but PEAP does not. If I enable EAP on the verisign cert in local certificates the enterprise cert get EAP disabled and that authentication stops working av PEAP starts working.
Is the ACS5.2 only able to have one certificate enabled at the time for EAP?
View 10 Replies
View Related
Oct 6, 2011
I've tried to piece this together with SSL Remote Access VPNS, Understanding PKI and the Cisco's ASA 5500 Series Chapter 73 Configuring Digital Certificates. Below is a basic config I use to create the CA and ID certs on ASAs. I use the ASA as the CA server. When I export the SSL trust point it doesn't show chaining from the CA. Since there is no chaining when I load the CA certificate in the Root Store I still an SSL Certificate error. Instead I have to load the SSL Trustpoint Certificate.
CREATE CA
crypto ca server
smtp from-address admin@Cisco.local
lifetime ca 3650
lifetime certificate 3650
lifetime crl 24
[code]....
I originally thought it was a problem with enrollment self in the trustpoint, but I cannot figure out the steps to complete enrollment terminal. I got to the steps of crypto ca enroll Identity_Certificate and displayed the certificate request. At that point the sh crypto ca trustpoint Identity_Certificate is pending enrollment. I can not find the command for the CA that allows trustpoint enrollment. If I try to crypto ca export Identity_Cetificate identity-certificateit says trustpoint not enrolled. Of course if I take the enrollment request and attempt to crypto ca import Identity_Certificate certificate it fails because it's not the cert.
View 3 Replies
View Related
Jun 2, 2011
Has anyone tried to get two factor authentication working with the asa 5505. I have a CA setup and the enrollment emails are being sent out. But when I go to login to the enrollment site at [URL]. I get a page not found.
I would like to have one factor be a username and password and the second factor being a certificate on the device.
View 4 Replies
View Related
Apr 23, 2013
how the certificates work when using PEAP on ACS 5.2.Currently we have clients which are Cisco wireless IP phones that are using the ACS server(s) for authentication to the wireless network. The phones are configured to use PEAP with server validation enabled. The phones have a Godaddy root certificate, and Godaddy intermediate certificates installed on them, (in addition they have all the certs that are on the phone by default). On the ACS server there is a certificate that is signed by Godaddy. This was creating doing the CSR process etc...
So from what I understand, because all the phones are set up to validate the server certificate, they require the public root certs and the intermediate certs that are installed on them, in order to validate the private cert that is on the ACS server. The private certificate (the one signed and issued by Godaddy), expires the middle of next year (2014) (a little ways off I know, but it is never too early be concerned about stuff). When we go to get a new private certificate for the ACS servers (or get a renewal) and when we install this new signed certificate onto the ACS servers…will all the clients still trust this new certificate, and everything will continue to work smoothly? Or will the clients all need to have new root certs installed, and new intermediate certificates installed? From what I can gather I think the first scenario should be the case, because the root certs and intermediate certs are there to trust certs that are signed by Godaddy, so as long as the new private certificate is signed by Godaddy everything should be okay.
View 8 Replies
View Related
Jun 9, 2013
I have issues connecting to the webvpn as its asking for some certificate for authentication, I am using the self generated certificate, but when I try to connect to SSL gateway via its IP address , Browser expect me to provide the certificated, I want to tell the Browser to use the self generated certificate of ASA5505, but not sure how I do it.I undestand when WEBVPN/SSL clientless VPN try to establish the VPN , ASA sends the certificate back to the browser to accept/authenticate it, but when I connect I don't get any certificate where I say YES to accept it.Can I just disable certificate with SSL and just use username/password to crater a WEBVPN ?
View 7 Replies
View Related
Jun 7, 2012
I have a Cisco 4506 With IOS 12.2 54SG1
Iam new on Acs 4.2 and i want to use Certificates to authenticate my windows XP Client and Igels.
On Windows Xp i selected : IEEE 802.1X Authentication enable EAP (Peap)
But i dont understand the Certification of ACS 4.2.
I generated a Self-Signed Certificate. Is this right ? and under installed Certificates the Certificate Status is okay.
Do i have to create for each windows Machine one user Account under user-Setup to authenticate the Machine?
Where do Windows Xp know whitch Certificate he have to take ?
I configures the Switch on Global Configuration like this:
aaa authentication login default group tacacs+ enable
aaa authentication enable default group tacacs+ enable
[Code].....
Iam triying to configure ist szenario till 4 days and it still dont work.. On Windows i Only get the Error" authentication failed" on the Switch the same : dot1x : Authfailed
View 3 Replies
View Related
Dec 12, 2012
I have some questions about the size of the certifcates in ACE module (ACE20). Reading the following link: [URL]
I can verify this text: 4096 (high security, level 4) - For software release A2(2.4) and later in the ACE module and software release A3(2.6) and later in the ACE appliance, you can use 4096-bit SSL certificates in chaingroups and authgroups. You can also import public certificates and keys that are 4096 bits in length.
We intend to use a certificate (CA) with keys of 4096 bits and according to the text of wiki, it's possible.
But if I check the guide [URL]
Somebody that already use certificates with 4096 bits in ACE20 module?
View 3 Replies
View Related
Sep 25, 2011
I'm looking for samples about anyconnect 2.x with PKI authentication through ASA 8.x and ACS 5.2.The CA could be a internal Microsoft CA.
View 8 Replies
View Related
