Anyconnect and preshared keys

Is it possible to use the anyconnect client and still use preshared keys?  I'm trying to remediate a PCI issue that requires removing IKEv1, and preshared key, and disabling aggressive mode.
Will any of this break Anyconnect?  Your assistance in appreciated!

Hi,
It is completely possible, You can disable the aggressive mode from the ASA and it will not affect the AnyConnect beacuse it uses (TLS and DTLS protocols)which is completely different from the IPSec.
Now you can disable the aggressive mode as follow:
hostname(config)# crypto ikev1 am-disable
If you have VPN clients IPSec, they will work with main mode if you use certificate authentication only, not using pre-shared keys.
Please don't forget to rate and Mark as correct the helpful Post!
David Castro,
Regards,

Similar Messages

  • AnyConnect and Pre-Shared Keys

    Hello,
    I am extremely new to AnyConnect and VPN, so I have a few questions for you guys. I am trying to configure an AnyConnect Client on Android to connect to my ASA 5505 via IPSEC. It's configured with (I believe) IKEv1 with pre-shared key and group identifier. I think IKEv2 is certificate based only, and I am not using certificates at this time. I can't seem to find any settings in the app to configure it this way... Can the AnyConnect client connect to this type of connection? If so, what may I be missing? I can configure the default VPN client built into Android and it works fine, but I am being told to use the AnyConnect client. If you need more info, let me know, I'm not sure what to put on here to give the info needed to help. Thanks!

    Believe I found my answer:
    Cisco AnyConnect VPN
    Q. I see that the Cisco AnyConnect Secure Mobility Client supports IPsec. Will Cisco AnyConnect Secure Mobility Client work with Cisco VPN 3000 Series concentrators?
    A. No. Cisco VPN 3000 Series concentrators support IPsec/IKEv1. Cisco AnyConnect Secure Mobility Client Version 3.0 and greater supports IPsec/IKEv2 connectivity but not IPsec/IKEv1.
    From http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5743/ps5699/ps10884/qa_c67-712937_ns1049_Networking_Solutions_Q_and_A.html
    If there is a workaround or something, please let me know. If not, oh well!

  • DMVPN/preshared key configured and device stolen

    Hello,
    I have a question on DMVPN solutions where device is already configured with a preshared key and expected to be a part of a network once the device is fired up.
    Now what if this device (e.g. router) is stolen and plugged to the Internet? I believe it will establish a connection with a hub router because preshared keys, DMVPN config are matching and is there a solution to prevent this?
    I know it is a physical security question however I need to consider this rare scenario.
    Thanks,
    Deepak Ambotkar

    The solution for that problem is to use digital certificates which is a best-practice for DMVPN. For that you can also use an IOS-router as a CA-server.
    If you decide against certificates, the you can at least use PSK-encryption. That doesn't help against stolen devices, but helps against rouge spokes when someone can get the client-config.
    Don't stop after you've improved your network! Improve the world by lending money to the working poor:
    http://www.kiva.org/invitedby/karsteni

  • IKEv2 AnyConnect and Pool allocation via RADIUS

    I am configured a CSR1000V (03.09.00a.S.153-2.S) for AnyConnect with IKEv2. I am storing username and IKEv2 authorization policy on the RADIUS server. Clients are dropped into their own iVRFs through RADIUS attributes passed back to the NAS.
    e.g. in FreeRadius (2.1.12), the following is defined (home is the 'group') in username@group format.
    home                    Cleartext-Password := "cisco"
                                 Cisco-AVPair += "ip:interface-config=vrf forwarding CUST-A",
                                 Cisco-AVPair += "ip:interface-config=ip unnumbered loopback100",
                                  Framed-Pool = "CUST-A-POOL"
    matt@home               Cleartext-Password := "test123"
    Group and user authorization information is then merged and cloned onto the virtual template:
    crypto ikev2 name-mangler EXTRACT-GROUP
    eap suffix delimiter @
    crypto ikev2 profile FlexVPN-IKEv2-Profile-1
    match fvrf IPSEC-FVRF
    match identity remote key-id FlexAnyConnect
    identity local dn
    authentication remote eap query-identity
    authentication local rsa-sig
    pki trustpoint cacert.org
    dpd 60 2 on-demand
    aaa authentication eap FlexVPN-AuthC-List1
    aaa authorization group eap list FlexVPN-AuthZ-List-1 name-mangler EXTRACT-GROUP
    aaa authorization user eap cached
    virtual-template 1
    interface Virtual-Template1 type tunnel
    no ip address
    tunnel mode ipsec ipv4
    tunnel vrf IPSEC-FVRF
    tunnel protection ipsec profile FlexVPN-IPsec-Profile-1
    However, it appears that the RADIUS attribute specifying the pool is ignored; I can see the RADIUS attribute (IETF 88) passed back to the NAS in the RADIUS debugs:
    *Aug 16 21:36:39.384 BST: RADIUS:  Framed-IP-Pool      [88]  13  "CUST-A-POOL"
    However, the crypto debugs state that an IP address cannot be assigned:
    *Aug 16 21:36:39.435 BST: IKEv2:Failed to allocate IP addr
    <snip>
    Payload contents:
    AUTH NOTIFY(INTERNAL_ADDRESS_FAILURE)
    If the Framed-Pool is removed and a Framed-IP-Address defined instead for the user, then the address is assigned. The CUST-A-POOL is defined locally on the NAS. Is there anything I am missing? Can any more detailed debugs be generated?
    Cheers,
    Matt

    Marcin,
    Thank you for your response; sending "ipsec:addr-pool" does work. I did a bug scrape, but didn't find this (if I try to view it in the new Bug Tool, I get "Insufficient Permissions to View Bug"), but it was possible to paste the Bug ID into the old Bug Toolkit to get the detail.
    As an aside, I also found that "include-local-lan" doesn't appear to work with IKEv2 AnyConnect and isn't likely to be fixed; according to CSCud65859, the workaround is to use split-tunneling ("ipsec:route-set=prefix prefix/len").
    Cheers,
    Matt

  • SSID with preshared key + ISE

    Hi,
    We have recently implemented Wifi at out site. we have Cisco 3502 AP's, 2504-WLC and the latest cisco ISE. I understand that in ISE deployment, we cant have a preshared key (password or key) for the SSID as ISE will take over the authentication. is that right?
    Current scenario:
    1. Laptop with wifi enabled will select the SSID in the list. since we have disabled the broadcast, it will be shown as other network in the list.
    2. User will the other network and manually enter the SSID string.
    3. Once the SSID matches with the WLC, he/she will be redirected to ISE url where the he/she needs to enter the domain credentials
    4. After the credentials are validated, ISE (NAC) agent will be downloaded on the laptop.
    5. Posture will begin and check for the compliance.
    6. If the laptop is compliant, laptop will be allowed in the network else will be rejected.
    Here, i would like to have preshared authetiation for SSID in the first phase as my infosec team is very particular about that. How can i achieve that?

    Creating Native Supplicant Profiles
    Before You Begin
    •If you intend to use a TLS device protocol for remote device registration, be sure you set up at least one Simple Certificate Enrollment Protocol (SCEP) profile, as described in Simple Certificate Enrollment Protocol Profiles, page 8-31.
    •Be sure to open up TCP port 8909 and UDP port 8909 to enable Cisco NAC Agent, Cisco NAC Web Agent, and supplicant provisioning wizard installation. For more information on port usage, see the “Cisco ISE Appliance Ports Reference” appendix in the Cisco Identity Services Engine Hardware Installation Guide, Release 1.2.
    Step 1Choose Policy > Policy Elements > Results > Client Provisioning > Resources.
    Step 2Choose Add > Native Supplicant Profile.
    Step 3Specify a Name for the agent profile.
    Step 4Enter an optional Description for the Native Supplicant Profile.
    Step 5Select an Operating System for this profile.
    Step 6Enable the appropriate options for Wired or Wireless Connection Type (or both) for this profile. If you enable the Wireless connection option, be sure to also specify the device SSID and the wireless Security type (either WPA2 Enterprise or WPA Enterprise).
    Step 7Choose the Allowed Protocol for the device profile.
    Step 8Enable or disable other
    Optional Settings as appropriate for this profile.
    You can create native supplicant profiles to enable users to bring their own devices into the Cisco ISE network. When the user logs in, based on the profile that you associate with that user’s authorization requirements, Cisco ISE provides the necessary supplicant provisioning wizard needed to set up the user’s personal device to access the network.

  • Lms3.2 passwords & preshared key

    hello,
    i have added some ASA to my ciscoworks server.
    when i look at the config i see that preshared keys are removed and replaced by a star *
    i see something like
    tunnel-group cisco ipsec-attributes
    pre-shared-key *
    then i searched some directories for the the plain text config files and it does not contain the preshared keys....
    if i try to recover from a disaster with those "backup files" it's gonna be useless
    is there any tricks to include preshared keys and passwords to my config files
    thanks

    The devices themselves are putting these stars in the config (starting in 8.2).  The way RME archives the config is to do a "show runn" and extract the config from the output.  RME does not yet support the ability to do a copy runn tftp, which would allow the clear text passwords to be archived.    However, this undos the security one would get by performing the screen scraping over SSH.  Therefore, LMS only uses the "show runn" command to get the config.

  • Question on IKE preshared key for sun systems.

    Hi All
    I'm testing IPsec between a Sun system and a device(and Windows XP). The main mode negotiation failed in the third exchange when encryption is on. Responder side complains about the payload sent from the other side is malformed. I suspect the problem is related to the preshared key configuration. Sun system require a hexdecimal on preshared key and the resulting key length should be at least of what encryption algorithm require(from IP service manual:
    The encryption algorithm in this example (see Step 2) is DES, so the pre-shared key must be at least 64 bits. However, a longer key length is a good idea. For example,
    # ike.preshared on enigma, 192.168.66.1
    { localidtype IP
         localid 192.168.66.1
         remoteidtype IP
         remoteid 192.168.55.2
         # enigma and partym's shared key in hex (128 bits)
         key ac077cc699c17055848a3cf34377980a
    My question is that how should I configure the preshared key to match the one in Sun? like in windows system? I tried to use the exact same key on windows, but the authentication failed. If the problem is not from preshared key, any comments are welcome.
    Thanks a lot!

    To restore key from encoded data you have to use one of the KeySpec lasses in your case DESKeySpec. Then you can use KeyFactory (SecretKeyFactory in this case) class to regenerate key.
    SecretKeyFactory factory = SecretKeyFactory.getInstance("DES", "SunJCE");
    myDESkey = factory.generateSecret(keySpec);

  • Entered Wrong preshared key on WLAN

    Hi
    I entered the wrong preshared key on the WLAN and I can't change it. Tried to using the connection Manager but still says incorrect
    Can anyone help please?
    Thanks

    Menu - Tools - Settings - Connections - Access Points - Select the WLAN in question - Options - Edit - WLAN Security Settings
    Hope that helps
    Nokia History: 3110, 5110, 7110, 7110, 3510i, 6210, 6310i, 5210, 6100, 6610, 7250, 7250i, 6650, 6230, 6230i, 6260, N70, N70, 5300, N95, N95, E71, E72
    Android History: HTC Desire, SE Xperia Arc, HTC Sensation, Sensation XE, One X+, Google Nexus 5

  • RV042 Preshared key hidden

    Hi everyone,
    I'd like to know if its possible to hide the Preshared key in the router configuration.
    By default, you can see it in clear text if you've access on the RV042.
    Thanks for your feedback.
    Regards,
    hdam

    Hello hdam,
    As far as I know, when you're administering and accessing the router configuration and you're setting up VPN, there is no method (or a checkbox) to hide the preshared key away from plaintext.
    If security is a concern, perhaps limit the available management access to the vpn router, so not too many users will know the preshared key.
    -Andrew Lien

  • N80 and Wifi key

    Hi
    I just got the N80 and i want to connect to the WLAN at work, we have WAP2. I have entered everything correctly, however there is just one problem,
    When i enter the preshared key, i am unable to as it is one or two characters to long
    Is there anyway around this?
    My friend at work has the 9300 nokia and he sets up his phone with wep and it works fine, when i try and setup wep on my phone i select 128bit but i can only enter about 20 characters
    Thanks

    Ok me again, looks like i found the problem, when entering the key you should select the input method ‘ASCII’ or ‘Hexadecimal’. In the ‘ASCII’ mode, the input must be 8 to 63 characters. In the ‘Hexadecimal’ mode, enter 64 characters.
    However the Nokia N80 does not have the option for hex or ASCII when entering the WAP preshared key.
    So it looks like it is a software error on the phone side, or that im just missing a step on setting this up on the phone side
    Anyone know about any fixes for this or how i can contact the developers for help on this....

  • Remote System and Remote Key Mapping at a glance

    Hi,
    I want to discuss the concept of Remote System and Remote Key Mapping.
    Remote System is a logical system which is defined in MDM Console for a MDM Repository.
    We can define key mapping enabled at each table level.
    The key mapping is used to distinguish records at Data Manager after running the Data Import.
    Now 1 record can have 1 remote system with two different keys but two different records cannot have same remote system with same remote key. So, Remote key is an unique identifier for record for any remote system for each individual records.
    Now whenever we import data from a Remote System, the remote system and remote key are mapped for each individual records. Usually all records have different remote keys.
    Now, when syndicating back the record with default remote key is updated in the remote system that is sent by xml file format.
    If same record is updated two times from a same remote system, the remote key will be different and the record which is latest contains highest remote key.
    Now, I have to look at Data Syndication and Remote key.
    I have not done Data Syndication but my concept tell if there is duplicate record with same remote system but different remote keys both will be syndicated back. But if same record have two remote keys for same remote system then only the default remote key is syndicated back.
    Regards
    Kaushik Banerjee

    You are right Kaushik,
    I have not done Data Syndication but my concept tell if there is duplicate record with same remote system but different remote keys both will be syndicated back.
    Yes, but if they are duplicate, they needs to be merged.
    But if same record have two remote keys for same remote system then only the default remote key is syndicated back.
    This is after merging. So whichever remote key has tick mark in key mapping option(default) , it will be syndicated back.
    Pls refer to these links for better understanding.
    https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/uuid/80eb6ea5-2a2f-2b10-f68e-bf735a45705f
    https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/uuid/7051c376-f939-2b10-7da1-c4f8f9eecc8c%0c
    Hope this helps,
    + An

  • Diff b/w primary key and unique key?

    what is the diff b/w primary key and unique key?

    Hi,
    With respect to functionality both are same.
    But in ABAP we only have Primary key for the Database tables declared in the Data Dictionary.
    Unique is generally is the term used with declaring key's for internal tables.
    Both primary and Unique keys can identify one record of a table.
    Regards,
    Sesh

  • What is the diffrence  between "Key to Select" and "Selected Key" while creating Radio  Buttons?

    While creating radio buttons there is a confusion regarding two properties "Key to Select" and "Selected Key".Can anybody explain it with example?
    Thanks,
    Vimal

    Hi Vimal,
    Please find my explanation as below
    Key to Select: This is the unique key for each radio button to identify which one is selected
    Selected Key: This holds the "KEY" of selected radio button
    Example:
       Let us say we have 2 radio buttons : Male & Female
         Create a context attribute SELECTED_KEY of type STRING.
         Create an action ON_SELECT for radio button select event
         Now,
         the properties for "MALE" radio button as below
              KEY_TO_SELECT = 'M'
              SELECTED_KEY = "bind to the context attribute SELECTED_KEY
              OnSelect = 'ON_SELECT'.
         The properties for 'Female" radio button as below
              KEY_TO_SELECT = 'F'
              SELECTED_KEY = "bind to the context attribute SELECTED_KEY
              OnSelect = 'ON_SELECT'.
    If we select radio button 'Male', we get the key as 'M' and for 'Female' radio button 'F'.
    check inside the event handler method ONACTIONON_SELECT, you get the 'KEY' of selected radio button.
    So, the context attribute 'SELECTED_KEY'  gets filled with the key of selected radio button
    Hope this helps you in distinguishing the 'KEY TO SELECT' & 'SELECTED KEY' .
    Regards,
    Rama

  • Buttons and enter key problem

    hello,
    there are a few projects of enterprise quality which I am developing in java swing. I found out through research that many or rather most people involved with java believe that swing is ready for enterprise class robust desktop applications.
    so I as the team leador am starting my new projects in java swing.
    I personally find that the amount of java libraries present provide a rich set of functionality and it gives big mussle power to the developers.
    I am only concerned about one problem which many of you might have solved.
    I find that I have to hit the space bar instead of enter key to fire an action. in languages like vb I can press enter key to fire the click events. specially in menu items I certainly don't expect my clients to press the spacebar. besides there are many people who are so used to the keyboard and enter key in particular that it will be hard or rather next to impossible to change their habbits.
    how can I make the menu items work with the enter key. I mean do I need to create the code for keypress events every time I also create an action performed method? or is there a way where I can do it without extra coding.
    it is just that I don't want to right extra code for enter key along with click events.
    one more important note.
    I am a blind person and I use the access bridge technology of java.
    so when I am involved in coding, I use the same.
    so may be my problem isn't a problem in the first place.
    kindly provide me some help
    thanks
    Krishnakant.

    The enter-key works on menu-items in all my applications. It did so since I started with java few years ago.
    Maybe some other problem (OS-specific) ?

  • Difference between Primary Key and Unique Key with NOT NULL constraint

    As both can be referred to another table.
    Apart from the difference that Primary Key can be only 1 and Unique keys can be multiple,
    is there any difference?
    Like in terms of type of Index?

    PARAG_C wrote:
    As both can be referred to another table.
    Apart from the difference that Primary Key can be only 1 and Unique keys can be multiple,
    is there any difference?
    Like in terms of type of Index?Technically there is almost no difference. Logically the two are often used for slightly different concepts.
    The PK (and with it the index) is often an ID column filled by a seqeunce. This key can then be refenced by foreign key constraints on other tables. it is very useful to have this as a meaningless technical construct. Because then the chance that such a ID needs to be changed is extremly slim.
    The UK (and with it the index) is often one or several columns that represent the logical key for the entity. Foreign key constriants should not point to this. THe chance that this attribute will be changed at some point in time is way higher then for a meaningless number (ID).

Maybe you are looking for