ACE Chain Certificates in mobile devices
Hi,
I'm having an issue with intermediate certificates from GoDaddy when connecting from some browsers of mobile devices:
Browser in Android 2.3.3;
Safari in iOS 4.2.1;
Chrome 18 in Android 4.0.
In a PC there's no problem, only from the above mobile devices. The intermediate certificate isn't downloaded from the ACE 4710 resulting in a "SSL Certificate Not Trusted" error.
Since GoDaddy has no instructions to resolve the issue from a Cisco ACE, i'm hoping someone in the community has dealed with this issue before.
Best regards,
Ricardo Canto
Hi Jorge,
I'm sorry not being able to answer you questions earlier. I became a father at a few weeks and needed to take an absence.
The issue was solved after the certificates were renewed last week and imported to the ACEs, no change has been made to the intermediate certificates.
I'm going to answer your questions so that this issue can be document for future reference:
You have indicated you have you have also the intermediate applied under a chaingroup in your current configuration, correct?
Indeed, the intermediate is applies to the chaingroup.
Do you have any ssl parameter to force the ACE only to use some specific certificates or you are using all(default)?
There is a different ssl-proxy for each service. Each one has it's own chaingroup, certs and keys.
You said you are testing with mobile devices, do you have the same behavior no matter what type of mobile device(no matter that brand)?
Only some browsers are affected by this issue:
Browser in Android 2.3.3;
Safari in OS 4.2.1;
Chrome 18 in Android 4.0.
I've tried with other browsers but had no error:
Google Chrome 22 in Windows 7;
Windows Internet Explorer 9 in Windows 7;
Opera Mini 7.5 in Android 2.3.3;
What are you getting from your mobile devices? Page cannot be displayed or what exactly?
In the browsers affected appears an error indicating "SSL Certificate Not Trusted"
The error is in Portuguese, but is saying "This certificate is not from a trusted authority". As I say above the certificate is from GoDaddy, and has not been revoked.
Have you tried from different mobile devices from differente locations?
See answer 3.
Have you tried to do the same tests over clear text, meaning on http? Does it work on http only?
Non issue, since the problem refers only to SSL
The issue was solved but wasn't able to determine if the issue was with the certificates or with the ACE.
Thank you,
Ricardo Canto
Similar Messages
-
We are planning to deploy Symantec certificate profiles to Mobile devices to manage company resource like WiFi. I've seen documentation on Technet and the post here http://ronnydejong.com/2014/12/15/part-1-deploy-certificates-to-mobile-devices-using-microsoft-intune-ndes-overview/ that
we need to install Intune NDES connector which needs to be installed on NDES server. These docs are true when we are using Microsoft PKI.
Here, we're planning to use Symantec cloud PKI to deploy the certificates to mobile devices. So, I would like to know which are the required on-premises components ? NPS, NDES or something else? Any documentation URL would be helpful ;) We're in planning
face hence the question in the forum.
Regards
Anoop
Anoop C Nair (My Blog www.AnoopCNair.com)
- Twitter @anoopmannur -
FaceBook Forum For SCCMThank you Jason for the reply !
Sorry for stupid questions !
Does that mean, NDES is needed only for initial enrollment process of a mobile device? We don't need it deploying Symantec certificate profiles to manage company resources like WiFi VPN etc... Or I'm totally lost here?
My understanding is : Mobile devices will get enrolled to Intune and that device will become a managed device. Now, the mobile device needs to get a connectivity to company resources like VPN or WiFi and for the we may need to deploy certificate profiles.
Isn't it ? So, you were saying for this process we don't need to have NDES. (or I'm wrong here as well).
If so, we'll be deploying a public certificate to all the devices via certificate profile deployment and the devices need to get connected with issuing authority to get a device specific private key before connecting to WiFi or VPN?
Regards
Anoop
Anoop C Nair (My Blog www.AnoopCNair.com)
- Twitter @anoopmannur -
FaceBook Forum For SCCM -
Lync mobile device connection issue
Hello everybody,
I'm implementing Lync Mobility and remote access in our organization. Remote access is workig fine. But mobile devices cannot connecting to Lync Server 2010. My topology is :
Reverse Proxy Server(IIS7 works fine) <--> Front End Server <--> Back End Server
pool : pool1.lynctest.local
internal web srvc : lyncinternalweb.lynctest.local
external web srvc : lyncweb.lynctest.domain.com
All internal and external DNS records created. Deployed internal CA and external internal web service certificates issued from internal CA. Also installed all root certificates on mobile devices and other remote machines. Below is log from android device.
20 Mar 2014 10:53:27 INFO APPLICATION:SignIn. signInAsUserState=0, actualSessionState=0
20 Mar 2014 10:53:27 INFO APPLICATION:Sending AutoDiscovery request (in sign-in sequence)
20 Mar 2014 10:53:27 INFO TRANSPORT:setUsernamePasswordCredential changing credential:
20 Mar 2014 10:53:27 INFO TRANSPORT:Credential information: credType (1) signInName ([email protected]) domain () username ([email protected]) password.empty() (0) compatibleServiceIds(1)
20 Mar 2014 10:53:27 INFO APPLICATION:Serialized sipuri= intUcwa= extUcwa= intADRoot= extADRoot= location=1 networkType=1
20 Mar 2014 10:53:27 INFO APPLICATION:Storing 2 out-of-sync components took 49ms
20 Mar 2014 10:53:27 INFO APPLICATION:Timer cancelled. OnResume = 0
20 Mar 2014 10:53:27 INFO APPLICATION:Discover UCWA urls from https://lyncdiscover.lynctest.golomtbank.com & https://lyncdiscover.lynctest.golomtbank.com for sip:[email protected]
20 Mar 2014 10:53:27 INFO APPLICATION:Extracted lynctest.golomtbank.com from sip:[email protected]
20 Mar 2014 10:53:27 INFO APPLICATION:Starting Auto Discovery with urls https://lyncdiscover.lynctest.golomtbank.com?sipuri=sip:[email protected] and https://lyncdiscover.lynctest.golomtbank.com?sipuri=sip:[email protected]
20 Mar 2014 10:53:27 INFO TRANSPORT:getSpecificCredential returning the following credential for credType (1) serviceId (4)
20 Mar 2014 10:53:27 INFO TRANSPORT:Credential information: credType (1) signInName () domain () username () password.empty() (1) compatibleServiceIds(0)
20 Mar 2014 10:53:27 INFO TRANSPORT:Added Request(UcwaAutoDiscoveryRequest) to Request Processor queue
20 Mar 2014 10:53:27 INFO APPLICATION:Submitting new req. <unknown>
20 Mar 2014 10:53:27 INFO TRANSPORT:Sent Request(UcwaAutoDiscoveryRequest) to Request Processor
20 Mar 2014 10:53:27 INFO APPLICATION:Submitting Unauthenticated AutoDiscovery request to https://lyncdiscover.lynctest.golomtbank.com?sipuri=sip:[email protected]
20 Mar 2014 10:53:27 INFO APPLICATION:CLogonSession::setNewActualState() state=1
20 Mar 2014 10:53:27 INFO UcClientStateManager: New UI State: ActualState = IsSigningIn DesiredState = BeSignedOut DataAvailable = false
20 Mar 2014 10:53:27 INFO TRANSPORT:<SentRequest>
20 Mar 2014 10:53:27 INFO TRANSPORT:To:https://lyncdiscover.lynctest.golomtbank.com?sipuri=sip:[email protected]
20 Mar 2014 10:53:27 INFO TRANSPORT:HttpHeader:Accept application/vnd.microsoft.rtc.autodiscover+xml;v=1
20 Mar 2014 10:53:27 INFO TRANSPORT:
20 Mar 2014 10:53:27 INFO TRANSPORT:</SentRequest>
20 Mar 2014 10:53:27 INFO TRANSPORT:Sending request(UcwaAutoDiscoveryRequest) to server type = 0
20 Mar 2014 10:53:27 VERBOSE HttpConnection: post request: https://lyncdiscover.lynctest.golomtbank.com?sipuri=sip:[email protected]
20 Mar 2014 10:53:27 VERBOSE HttpConnection: send request: https://lyncdiscover.lynctest.golomtbank.com?sipuri=sip:[email protected]
20 Mar 2014 10:53:27 INFO APPLICATION:LogonSession::signIn() succeeded
20 Mar 2014 10:53:27 INFO UcClientStateManager: New UI State: ActualState = IsSigningIn DesiredState = BeSignedIn DataAvailable = false
20 Mar 2014 10:53:27 VERBOSE ActivityMonitor: Activity Create: com.microsoft.office.lync.ui.options.SigningInActivity
20 Mar 2014 10:53:27 VERBOSE ActivityMonitor: Activity Start: com.microsoft.office.lync.ui.options.SigningInActivity
20 Mar 2014 10:53:27 VERBOSE ActivityMonitor: Activity Stop: com.microsoft.office.lync.ui.options.CredentialsActivity
20 Mar 2014 10:53:27 VERBOSE ActivityMonitor: Activity Destroy: com.microsoft.office.lync.ui.options.CredentialsActivity
20 Mar 2014 10:55:33 INFO APPLICATION:Called signOut() in state 1
20 Mar 2014 10:55:33 INFO APPLICATION:Cancelling all requests
20 Mar 2014 10:55:33 INFO APPLICATION:Serialized sipuri=sip:[email protected] intUcwa= extUcwa= intADRoot= extADRoot= location=1 networkType=1
20 Mar 2014 10:55:33 INFO APPLICATION:Storing 2 out-of-sync components took 31ms
20 Mar 2014 10:55:33 INFO APPLICATION:Timer cancelled. OnResume = 0
20 Mar 2014 10:55:33 INFO APPLICATION:CLogonSession canceling all requests
20 Mar 2014 10:55:33 INFO APPLICATION:CLogonSession::setNewActualState() state=0
20 Mar 2014 10:55:33 INFO UcClientStateManager: New UI State: ActualState = IsSignedOut DesiredState = BeSignedOut DataAvailable = false
20 Mar 2014 10:55:34 INFO APPLICATION:Timer cancelled. OnResume = 0
20 Mar 2014 10:55:34 INFO APPLICATION:Storing 1 out-of-sync Object Models took 22ms
20 Mar 2014 10:55:34 VERBOSE ActivityMonitor: Activity Create: com.microsoft.office.lync.ui.options.CredentialsActivity
20 Mar 2014 10:55:34 VERBOSE ActivityMonitor: Activity Start: com.microsoft.office.lync.ui.options.CredentialsActivity
20 Mar 2014 10:55:34 VERBOSE ActivityMonitor: Activity Stop: com.microsoft.office.lync.ui.options.SigningInActivity
20 Mar 2014 10:55:34 VERBOSE ActivityMonitor: Activity Destroy: com.microsoft.office.lync.ui.options.SigningInActivity
20 Mar 2014 10:55:41 VERBOSE ActivityMonitor: Activity Create: com.microsoft.office.lync.ui.options.CredentialsOptionsActivity
20 Mar 2014 10:55:41 VERBOSE ActivityMonitor: Activity Start: com.microsoft.office.lync.ui.options.CredentialsOptionsActivity
20 Mar 2014 10:55:41 VERBOSE ActivityMonitor: Activity Stop: com.microsoft.office.lync.ui.options.CredentialsActivity
20 Mar 2014 10:55:42 INFO APPLICATION:CMcxDataSynchronizer now in mode 1
20 Mar 2014 10:55:42 INFO APPLICATION:Mode 1 scheduled to timeout in 30.000000s
20 Mar 2014 10:55:42 INFO APPLICATION:No SendUpdate schedule action. timerStarted=0, timerNeedsToRun=0, channelState=0, timerAction=0
20 Mar 2014 10:55:42 VERBOSE ActivityMonitor: Activity Create: com.microsoft.office.lync.ui.options.AboutActivity
20 Mar 2014 10:55:42 VERBOSE ActivityMonitor: Activity Start: com.microsoft.office.lync.ui.options.AboutActivity
20 Mar 2014 10:55:43 VERBOSE ActivityMonitor: Activity Stop: com.microsoft.office.lync.ui.options.CredentialsOptionsActivity
Also I tested web services by web browser and they seem fine. I cannot find what's wrong with this. Please help me dears.
Thank youThe ports will be visible in the Netstat result after a connection has been setup by a mobile device.
For details, you can check http://www.lync-blog.nl/?p=671&lang=en
Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make
sure that you completely understand the risk before retrieving any suggestions from the above link.
Please follow the follow blog to troubleshoot external Lync Mobility connectivity issue step by step:
http://blogs.technet.com/b/nexthop/archive/2012/02/21/troubleshooting-external-lync-mobility-connectivity-issues-step-by-step.aspx
Lisa Zheng
TechNet Community Support -
PEAP-MS-CHAPv2 - mobile devices and certificates
I'm looking to secure our wireless infrastructure and CHAPv2 seems to be what we need but I have a couple of concerns.
Our external domain is company.net but our internal domain where the NPS server would sit is domain.company.local
We have a lot of mobile devices - some are on the domain, some are not.
I'm happy to use an internal certificate or a 3rd party certificate, but given the different domain suffixes, is this going to be possible? If I use a certificate with subject name domain clients won't trust it. If I use subject name of company.net,
no clients will trust the NPS server.
How do I get all domain PCs and domain/non-domain mobile devices to trust and connect to the NPS server?Hi,
When you deploy 802.1X authenticated wireless access that uses PEAP-MS-CHAP v2, RADIUS servers must have digital certificates in order to perform mutual authentication. To issue certificates to your NPS servers you have the option of deploying
a private CA on your network, or purchasing a server certificate from a third party certification authority.
During PEAP-MS-CHAP v2 authentication, the IAS or RADIUS server supplies a certificate to validate its identity to the client. Client computer and user authentication is accomplished with passwords, which eliminates some of the difficulty of deploying certificates
to wireless client computers.
Since user authentication is performed with password-based credentials, not certificates, the certificate which is issued to NPS use the internal domain suffix. But non-domain member computers must have the private CA certificate manually
installed in the Trusted Root Certification Authorities certificate store for them to trust certificates, such as NPS server certificates, that are issued by the private CA.
Besides, are all users in the internal domain? If users are in two domains, you have two options,
Create a two-way forest trust for both sides of the trust.
Install a new NPS server in external domain.
For detailed information, please refer to the link below,
Create a two-way, forest trust for both sides of the trust
http://technet.microsoft.com/en-us/library/cc778851(v=WS.10).aspx
Certificates and NPS
http://technet.microsoft.com/en-us/library/cc772401(v=WS.10).aspx
PEAP-MS-CHAP v2-based Authenticated Wireless Access Design
http://technet.microsoft.com/en-us/library/dd348500(v=WS.10).aspx
Hope this helps.
Steven Lee
TechNet Community Support -
Certificate for Jabber mobile devices?
We are looking to deploy jabber on mobile devices, is it recommended to deploy certificates to the mobile jabber devices for extra security or is it default? How are they deployed - same as handsets via the TFTP download? Does the deployment of the certificate create any issues with the normal working of the mobile?
Every time a jabber client mobile device logs on to the network, does the expressway E or C check if the certificate is installed or does it check with tftp file?
Can a user remove a certificate manually and again how is the certificate checked?
thanksThere’s a big difference in what you want, Joel and what the OP asked for.
For plain old vanilla PDF, you should be fine, but the OP is worried about people needing to download something for EPUB when in reality that’s less of an issue than PDF.
There are no stock PDF readers on many tablets and the ones that are there have limited or no interactive capabilities and the better ones like GoodReader are not free.
BTW, I’m not suggesting EPUB as a replacement but without seeing the actual documents in question and knowing the audience and budget, I really can’t give you a better answer.
Bob -
SSLVPN 3rd Party Certificate, still get "untrusted site" with mobile device
Hi,
I have recently implemented an Entrust cert on my ASA for SSLVPN. When accessing the ASA from Windows/MAC, the "untrusted site" page does NOT appear. When accessing the ASA from an Android/iPhone, the "untrusted site" page DOES appear. Can anyone chime in on why this is happening with mobile devices?
Thanks,
EricHi Portu,
I'm not clear with your last request, what are you asking?
I've looked at the security warning on an iPhone, and it reads the following:
"The site's security certificate is not trusted!
You attemped to reach blah.blah.com, but the server presented a certificate issued by an entity that is not trusted by your computer's operating system. This may mean that the server has generated is own security credentials, which Google Chrome cannot rely on for identity information, or an attacker may be trying to intercept your communications."
This does not happen when using Google Chrome on Windows/OSX. -
Chain certificate : PKCS#7 format
I have received set of certificates from CA. I have added all the certs except the chain into ACE chaingroup configuration. https is working fine without issues. Do I need to install the chain certificate as well. Chain is given in PKCS#7 format whereas ACE does not accept PKCS#7. Please suggest.
Well I haven't had any luck getting an iPhone to present an SSL certificate to an IIS7 ASP.Net webserver.
The same .p12 certificate works on IE7, PocketIE (WM6), Firefox and Safari (PC version). The website is set to Require an SSL certificate. From the Windows Mobile or PC browsers, you get a prompt for the client certificate. I have tried Nick's website and the iPhone will prompt to choose between his and my certificates, however with IIS7 you just get a 403.7 client SSL certificate required error.
I have turned on SSL tracing in HTTP.Sys and get the following (edited for length) :
<Opcode>SslInititateSslRcvClientCert</Opcode>
- <Keywords>
<Keyword>Flagged on all HTTP events handling ssl interactions</Keyword>
</Keywords>
<Task>HTTP SSL Trace Task</Task>
<Message>Server application is attempting to receive the SSL client certificate, which will be provided if available. If the client certificate is not available, a renegotiation will be initiated.</Message>
<Channel>HTTP Service Channel</Channel>
<Provider>Microsoft-Windows-HttpService</Provider>
... then after various SSL negotiations and receive raw data traces I see...
<Opcode>SslRcvClientCertFailed</Opcode>
- <Keywords>
<Keyword>Flagged on all HTTP events handling ssl interactions</Keyword>
</Keywords>
<Task>HTTP SSL Trace Task</Task>
<Message>Attempt by server application to receive client certificate failed with status: 0xC0000225.</Message>
<Channel>HTTP Service Channel</Channel>
<Provider>Microsoft-Windows-HttpService</Provider>
Which basically seems to mean a "not found" error.
Anyone had any luck with iPhone to IIS 7 (which we have to use as it is an ASP.Net website)? -
Can we avoid the dependency on the Symantec certificate for enabling windows phone enrollment under Administration->Cloud services -> Windows InTune subscriptions - Windows Phones. My environment will have only windows 8.1 phones.
Regards
LeelaSee http://status.manage.microsoft.com/StatusPage/ServiceDashboard.
Engineers are investigating a service issue impacting access to portal via mobile devices.
(Started on 12/30/2014 8:00:00 AM UTC)
1/8/2015 11:42:49 PM (UTC)
Current Status: Engineers are continuing to troubleshoot potential issues related to Active Directory Federation Services (ADFS). Engineers have gathered additional traces and logging data for deeper analysis. User Experience: Affected users with Windows Phone,
iOS, or Android devices are unable to access their company portal and receive repeated prompts to enter credentials. If incorrect credentials are entered, users will receive an error stating that they have entered a bad password. Customer Impact: Engineers
have received reports that some customers are experiencing this issue. A subset of users are affected by this event. Other users remain unaffected. Incident Start Time: Tuesday, December 30, 2014, at 8:00 AM UTC Next Update by: Tuesday, January 13, 2015, at
12:00 AM UTC
Torsten Meringer | http://www.mssccmfaq.de -
Error: Your mobile device has encountered an unexpected error (0xE800003A)
Hi all, I am absolutely new to iPhone development, so i'm sure this is a simple error. I've already done a search for this problem, but haven't understood the answer yet.
Before i got to to writing my first app, i wanted to try installing a bit of sample code from the apple site, so i downloaded ' aurioTouch from the link below, then put it in a new folder.
http://developer.apple.com/iphone/library/navigation/SampleCode.html
The project launches fine in xcode, but when i click 'Build & Run'...it seems fine right up to the point it transfers it onto my actual iphone (latest non beta version) & I get this error.
Your mobile device has encountered an unexpected error (0xE800003A) during the install phase: Verifying application : Try disconnecting and powering off the device; then power the device on and reconnect it.
What am i doing wrong? Dooes my iPhone need to somehow be 'prepared' for accepting apps? Is there something wrong with the code.
Any help would be gratefully received ! If i can get past this step..I can move on..
Cheers
RuSurely it must be something simple?
Quick answer: Your environment simply isn't configured properly. You don't have the digital certificates in place to access your device for what you're trying to do.
The entire process includes many mandatory elements. Users can't short-cut it and they can't jump in randomly. You'll need to spend time getting up to speed first, or run the risk of having many more questions such as you've already encountered. Don't get me wrong...we all have questions. But the docs exist to cover basics which in most cases are an assumed part of the questioner's background - hopefully. After you've invested your time, if you're still confused, please speak up. -
Can't get mobile device to auto configure the active sync server
Hello
I am trying to get my costumer mobile devices to auto configure the active sync server name so they don't have to type it in. I believe I have everything in place Certificates are fine. I populated the external url on the active sync
object in Exchange.
DNS is set up correct. I ran the Exchange Connectivity Analyzer and it runs perfectly. The only test step if fails on is the first attempt to contact the autodiscover service using just the domain name and that is because we have a
record in DNS so our domain name points to our public web server but all the other tests run fine. At the end, it even displays the xml file contents and shows me the external url of the active sync object.
I get a successful run but it first shows SSL certifiate of our public Web site and then hangs on the server config and then prompts me to enter in the server name and domain. My external url in Exchange looks like this:
https://remote.domain.com/Microsoft-Server-ActiveSync
Any Help??
EddieThank you for replaying but there is already internal A record that points to Exchange server. Firewall, DNS external and internal are setup like this:
Firewall:
Port 443 and 25 points to Internal IP of our Exchange 2013 (only mail server in company).
Port 80 not open.
External DNS records:
autodiscover.mydomain.com à points to our WAN IP
remote.mydomain.com à points to our WAN IP
mydomain.com à points to external online webhosting
Internal DNS records:
autodiscover.mydomain.com à points to ours Exchange 2013 internal IP
Remote.mydomain.com à points to ours Exchange 2013 internal IP
mydomain.com à points to external online webhosting
Test form "ExchangeConnectivityTest.com" is Successful but with warnings.
Warnings are about https://mydomain.com/AutoDiscover/AutoDiscover.XML
because
https://mydomain.com is
pointing to website, which is hosted externally.
Eddie -
How to include a new root certificate in BlackBerry device
Dear Sir/Madam,
TWCA is a certification authority in Taiwan provides security system for internet banking, stock trading, e-commerce and SSL certification service in Asia-Pacific region. TWCA wish to add its' root certificate into BlackBerry mobile device in order that our customers may use BlackBerry mobile device to do internet banking and stock trading on secured SSL Website. Could you provide some information about BlackBerry/RIM root certificate program?
Thanks and Regards.
Blues Lin
Solved!
Go to Solution.Hi and Welcome to the Forums!
It sounds like your question is of a formal nature -- as in you wish to communicate directly with RIM for your query. Unfortunately, these forums are not a user-to/from-RIM communication vehicle -- rather, they are a user-to-user support forum. As such, it is unlikely that anyone from RIM will see and respond to your question. Hopefully some other user knows how to advise you, but I just wanted to set your expectation correctly about what to expect from these forums.
Good luck!
Occam's Razor nearly always applies when troubleshooting technology issues!
If anyone has been helpful to you, please show your appreciation by clicking the button inside of their post. Please click here and read, along with the threads to which it links, for helpful information to guide you as you proceed. I always recommend that you treat your BlackBerry like any other computing device, including using a regular backup schedule...click here for an article with instructions.
Join our BBM Channels
BSCF General Channel
PIN: C0001B7B4 Display/Scan Bar Code
Knowledge Base Updates
PIN: C0005A9AA Display/Scan Bar Code -
Authentication on a mobile device
We are getting ready to deploy our first mobile application. A snag has come up where we need to be able to authenticate a user to a device (such as a Android Phone or Tablet). We will have a secure VPN tunnel from the phone to our server.
Because it is a mobile device, I cannot rely on using an IP (they change).
Can I either read a certificate on the device or can I read to the MAC address of the device? Basically, I need to know User X using Phone Y authenticated to the application at time Z.
Has anyone had to do this before? Is it even possible?
Using APEX 4.2.3
Oracle 11g.
Apex Listener.
Thank you in advance.
--Seattledo a google search for "perl cgi get mac address"
in short: no
here is a question: (i don't know the answer)
would you see the actual MAC address of the device?
or would you see the 'virtual' MAC address created by the VPN connection?
(my guess is the 'virtual' one)
IMHO - You would be better off implementing the "limitation of access" within the VPN "server".
MK -
ISE integration with Mobile Device Management ( MDM ) help required
Dear Techies,
Am here bring to your notice an different issue and no much resources to support even in PEC or Cisco Document.
We are conduction a Proof Of Concept (PoC) on Secure Bring Your Own Device ( BYOD ) using Cisco ISE and gonna test all the scenarios like Wired, Wireless and VPN user access.
Setup Brief :
=========
Our Setup has ISE VM acting as Admin, Monitor and Profiling Device, we have NAC 3315 physical Appliance as Inline posture Device, Wireless LAN controller, Access point and the Identity source as Microsof Active Directory
Having Plans to Integrate Mobile Device Management ( MDM ) and Citrix VDI setup also.
Activity Brief:
=========
As of now we have tested the Wired Scenario Authentication and authorization for guest users and gonna carry out the profiling and posture.
Clarifications Required
================
Wired Scenario - Require some configuration / steps on how to carryout posture for the guest wired users i.e. LAPTOP.
Wireless Scenario
MDM can be integrated to ISE ?
How the MDM can be integrated to Cisco ISE configuration or Guide to show the same?
What is the demarcation between MDM and ISE ( i.e. What is the role of ISE and MDM on Mobile Devices ) ?
If MDM is available so then when the control of ISE ends, does MDM do management or ISE will do management of the devices ?
Is MDM will do client provisioning or ISE should do ?
Is MDM send or update patches of Mobile Devices ?
As of now these are the scenarios, kindly revert if any good documents to show this or share your expertise on the Integration Part.
Thanks for Reading...
ArunI would like to avail your valuable inputs to understand on the Client provisioning part for the Mobile Devices/ Laptop. I understand from your reply that MDM integration is not available in the current release ISE 1.1 - That is correct.
Kindly let me know your views or any documents on the following scenarios with the current release in mind
1. User with Mobile devices connecting to Wireless ( both Employee and Guest ) , How the Flow differs for the Employee and Guest. How the client provisioning is done ( i.e. Like Posturing or Compliance Check ).
The posturing and compliance check is done based on the user authentication information (i.e. AD memberOf vs Guest user) combined with the users endpoint (windows, mac osx, or a mobile device), ISE then has a few decisions to make based on the authorization policies. For example, if a Domain User coming from a Windows 7 machine joins the network, then can either use the nac agent, or the web agent. Then you can scan for registry settings, file settings, program requirements, hotfix compliance...and the list goes on. If the user fails a check then you can either assign an acl for the user so they only have guest access, or you can place them into a remediation vlan the options are entirely up to the requirements and however the solution is implemented.
2. User with Laptop connecting to Wireless ( both Employee and Guest ). How the client provisioning is done ( i.e. Like Posturing or Compliance Check ).
Guests are usually redirected to the guest portal which they authenticate and their user group falls within the Guest container that is on the ISE internal database, that is usually coupled with an authorization profile that grants them internet access. For the client provisioning, that is usually done based on the operating system, via profiling (dhcp, and user agent string., netmap...etc) and can be fine tuned for all laptops or to a specific set of users based on their group membership.
3. What are advantages of having ISE also in place for Mobile devices, since most of the Mobile related tasks ( like Authentication, Authorization, Profiling and Posture ) are carried out by MDM. I am checking for the significant advantage of having ISE for Client network having only Mobile devices. Kindly clarify.
Currently the advantage of Cisco ISE is that it supports profiling within wireless and really fits well within a network that has mostly Cisco products since they are all part of of the Borderless security initiative being driven on the backend. The product teams for wireless, wired, security (vpn..etc) and ISE are pretty close in building their solutions so that you can get connected with any device any where (sorry for the sales pitch). The latests wireless code is improving and is going to have support similar to the ios sensor for wired devices where dhcp, cdp, and other attributes can be sent in the radius packet for better profiling decisions. With integration for an MDM platform coming soon, and also support for TACACS rumored (have to verify with your account rep) you have options that really stand out from a unit that only supports MDM. Cisco ISE also comes with a wireless product ID so that makes the budget work when it comes to deploying ISE if you arent looking for enforcement on your wired devices.
4. Do you recommend 802.1X Authentication to use for the Employee and Contractor? The Guest user authentication as Open ?
For internal users and vendors the best option by far is dot1x, almost all operating systems are capable of performing dot1x and the 1.1.1 MR has a piece now that can provision the supplicant for the users, by using scep to enroll certificates or configure peap settings.
There is a feature within the guest portal that allows you to statically assign guests into endpoint group, that feature is called device registration web authentication. It seems like an open network but uses mac filtering to assign these devices to an endpoint without requiring users to enter any credentials. They are presented with an AUP page, once they accept their mac address is mapped to the endpoint group
5. How can we ensure the Encryption of traffic from the Guest user to the NAD ( Network Access devices ) ?
This may be a wireless question but I am sure the encryption is done using AES and using dot1x as the key management here is a brief background for this - http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807f42e9.shtml#L2
You can also use the anyconnect client which can provide macsec which is layer 2 encryption for wired - http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/qa_c67-622477_ns1049_Networking_Solutions_Q_and_A.html
6. We are also looking for VDI ( Citrix, VMware ) solution for the client ( both Employee and Guest ) , how ISE can play a role in securing the VDI environment.
For most thin clients you can perform dot1x authentication on the device itself, however that is something the manufacturer will have to support. This is a little gray for me.
7. Is that any integration required with Citrix or VMware. How the VDI can be offered based on the User role ( i.e. Employee, Contractor or Guest ), since Guest database is available only with ISE, how the checks are made from the VDI environment.
IN ISE there is an identity sequence which can authenticate users in AD first, if the user is not found then it can look in the internal database.
Our solution demands MDM in the integrated solution, As on today ISE cant be integrated with MDM. so what kind of solution we can propose to have MDM and Cisco ISE .Do the clients now enter the network should have already installed the MDM agent (or) any other way of pushing the same to the Client.
Today there is no integration between the devices, the last release time I heard was December for this feature. However it would be best to confirm with your Cisco Account rep on this issue.
Thanks,
Tarik Admani
*Please rate helpful posts* -
Hi,
Can any please let me know if we can access Webdynpro ABAP application using mobile device. If yes, what are the steps/procedure to be followed.
Thanks.
NPHello,
after 4 years in 2012, i bought a tablet pc (aldi lifetab), installed a firefox-browser, the add-on cert-manager, installed a client certificate. After doing this i can accces webdynpro for abap applications without any problems. -
IOS Mobile Device Management - The SCEP server returned an invalid response
I am in the process of writing an open source iOS mobile device management module in Java. For this I am referring the Apple provided Ruby code at [1]. I have set this up and it works fine for me. Now I need to convert this code to Java. So far I have accomplished to do that up to PKIOperation. In the PKI operation I get "The SCEP server returned an invalid response" which I believe is due to wrong response I sent to device upon PKIOperation.
However when I do search on the internet I get this is something to do with the "maxHttpHeaderSize" as I am using the server as Apache Tomcat. Although I increase that since still it does not get resolved.
Here is the code I need to convert - taken from Apple provided Ruby script
if query['operation'] == "PKIOperation"
p7sign = OpenSSL::PKCS7::PKCS7.new(req.body)
store = OpenSSL::X509::Store.new
p7sign.verify(nil, store, nil, OpenSSL::PKCS7::NOVERIFY)
signers = p7sign.signers
p7enc = OpenSSL::PKCS7::PKCS7.new(p7sign.data)
csr = p7enc.decrypt(@@ra_key, @@ra_cert)
cert = issueCert(csr, 1)
degenerate_pkcs7 = OpenSSL::PKCS7::PKCS7.new()
degenerate_pkcs7.type="signed"
degenerate_pkcs7.certificates=[cert]
enc_cert = OpenSSL::PKCS7.encrypt(p7sign.certificates, degenerate_pkcs7.to_der,
OpenSSL::Cipher::Cipher::new("des-ede3-cbc"), OpenSSL::PKCS7::BINARY)
reply = OpenSSL::PKCS7.sign(@@ra_cert, @@ra_key, enc_cert.to_der, [], OpenSSL::PKCS7::BINARY)
res['Content-Type'] = "application/x-pki-message"
res.body = reply.to_der
end
So this is how I written this in Java using Bouncycastle library.
X509Certificate generatedCertificate = generateCertificateFromCSR(
privateKeyCA, certRequest, certCA.getIssuerX500Principal()
.getName());
CMSTypedData msg = new CMSProcessableByteArray(
generatedCertificate.getEncoded());
CMSEnvelopedDataGenerator edGen = new CMSEnvelopedDataGenerator();
edGen.addRecipientInfoGenerator(new JceKeyTransRecipientInfoGenerator(
receivedCert).setProvider(AppConfigurations.PROVIDER));
CMSEnvelopedData envelopedData = edGen
.generate(
msg,
new JceCMSContentEncryptorBuilder(
CMSAlgorithm.DES_EDE3_CBC).setProvider(
AppConfigurations.PROVIDER).build());
CMSSignedDataGenerator gen = new CMSSignedDataGenerator();
ContentSigner sha1Signer = new JcaContentSignerBuilder(
AppConfigurations.SIGNATUREALGO).setProvider(
AppConfigurations.PROVIDER).build(privateKeyRA);
List<X509Certificate> certList = new ArrayList<X509Certificate>();
CMSTypedData cmsByteArray = new CMSProcessableByteArray(
envelopedData.getEncoded());
certList.add(certRA);
Store certs = new JcaCertStore(certList);
gen.addSignerInfoGenerator(new JcaSignerInfoGeneratorBuilder(
new JcaDigestCalculatorProviderBuilder().setProvider(
AppConfigurations.PROVIDER).build()).build(
sha1Signer, certRA));
gen.addCertificates(certs);
CMSSignedData sigData = gen.generate(cmsByteArray, true);
return sigData.getEncoded();
The returned result here will be output in to the servlet output stream with the content type "application/x-pki-message".
It seems I get the CSR properly and I generate the X509Certificate using following code.
public static X509Certificate generateCertificateFromCSR(
PrivateKey privateKey, PKCS10CertificationRequest request,
String issueSubject) throws Exception {
Calendar targetDate1 = Calendar.getInstance();
targetDate1.setTime(new Date());
targetDate1.add(Calendar.DAY_OF_MONTH, -1);
Calendar targetDate2 = Calendar.getInstance();
targetDate2.setTime(new Date());
targetDate2.add(Calendar.YEAR, 2);
// yesterday
Date validityBeginDate = targetDate1.getTime();
// in 2 years
Date validityEndDate = targetDate2.getTime();
X509v3CertificateBuilder certGen = new X509v3CertificateBuilder(
new X500Name(issueSubject), BigInteger.valueOf(System
.currentTimeMillis()), validityBeginDate,
validityEndDate, request.getSubject(),
request.getSubjectPublicKeyInfo());
certGen.addExtension(X509Extension.keyUsage, true, new KeyUsage(
KeyUsage.digitalSignature | KeyUsage.keyEncipherment));
ContentSigner sigGen = new JcaContentSignerBuilder(
AppConfigurations.SHA256_RSA).setProvider(
AppConfigurations.PROVIDER).build(privateKey);
X509Certificate issuedCert = new JcaX509CertificateConverter()
.setProvider(AppConfigurations.PROVIDER).getCertificate(
certGen.build(sigGen));
return issuedCert;
The generated certificate commonn name is,
Common Name: mdm(88094024-2372-4c9f-9c87-fa814011c525)
Issuer: mycompany Root CA (93a7d1a0-130b-42b8-bbd6-728f7c1837cf), None
[1] - https://developer.apple.com/library/ios/documentation/NetworkingInternet/Concept ual/iPhoneOTAConfiguration/Introduction/Introduction.htmlI am in the process of writing an open source iOS mobile device management module in Java. For this I am referring the Apple provided Ruby code at [1]. I have set this up and it works fine for me. Now I need to convert this code to Java. So far I have accomplished to do that up to PKIOperation. In the PKI operation I get "The SCEP server returned an invalid response" which I believe is due to wrong response I sent to device upon PKIOperation.
However when I do search on the internet I get this is something to do with the "maxHttpHeaderSize" as I am using the server as Apache Tomcat. Although I increase that since still it does not get resolved.
Here is the code I need to convert - taken from Apple provided Ruby script
if query['operation'] == "PKIOperation"
p7sign = OpenSSL::PKCS7::PKCS7.new(req.body)
store = OpenSSL::X509::Store.new
p7sign.verify(nil, store, nil, OpenSSL::PKCS7::NOVERIFY)
signers = p7sign.signers
p7enc = OpenSSL::PKCS7::PKCS7.new(p7sign.data)
csr = p7enc.decrypt(@@ra_key, @@ra_cert)
cert = issueCert(csr, 1)
degenerate_pkcs7 = OpenSSL::PKCS7::PKCS7.new()
degenerate_pkcs7.type="signed"
degenerate_pkcs7.certificates=[cert]
enc_cert = OpenSSL::PKCS7.encrypt(p7sign.certificates, degenerate_pkcs7.to_der,
OpenSSL::Cipher::Cipher::new("des-ede3-cbc"), OpenSSL::PKCS7::BINARY)
reply = OpenSSL::PKCS7.sign(@@ra_cert, @@ra_key, enc_cert.to_der, [], OpenSSL::PKCS7::BINARY)
res['Content-Type'] = "application/x-pki-message"
res.body = reply.to_der
end
So this is how I written this in Java using Bouncycastle library.
X509Certificate generatedCertificate = generateCertificateFromCSR(
privateKeyCA, certRequest, certCA.getIssuerX500Principal()
.getName());
CMSTypedData msg = new CMSProcessableByteArray(
generatedCertificate.getEncoded());
CMSEnvelopedDataGenerator edGen = new CMSEnvelopedDataGenerator();
edGen.addRecipientInfoGenerator(new JceKeyTransRecipientInfoGenerator(
receivedCert).setProvider(AppConfigurations.PROVIDER));
CMSEnvelopedData envelopedData = edGen
.generate(
msg,
new JceCMSContentEncryptorBuilder(
CMSAlgorithm.DES_EDE3_CBC).setProvider(
AppConfigurations.PROVIDER).build());
CMSSignedDataGenerator gen = new CMSSignedDataGenerator();
ContentSigner sha1Signer = new JcaContentSignerBuilder(
AppConfigurations.SIGNATUREALGO).setProvider(
AppConfigurations.PROVIDER).build(privateKeyRA);
List<X509Certificate> certList = new ArrayList<X509Certificate>();
CMSTypedData cmsByteArray = new CMSProcessableByteArray(
envelopedData.getEncoded());
certList.add(certRA);
Store certs = new JcaCertStore(certList);
gen.addSignerInfoGenerator(new JcaSignerInfoGeneratorBuilder(
new JcaDigestCalculatorProviderBuilder().setProvider(
AppConfigurations.PROVIDER).build()).build(
sha1Signer, certRA));
gen.addCertificates(certs);
CMSSignedData sigData = gen.generate(cmsByteArray, true);
return sigData.getEncoded();
The returned result here will be output in to the servlet output stream with the content type "application/x-pki-message".
It seems I get the CSR properly and I generate the X509Certificate using following code.
public static X509Certificate generateCertificateFromCSR(
PrivateKey privateKey, PKCS10CertificationRequest request,
String issueSubject) throws Exception {
Calendar targetDate1 = Calendar.getInstance();
targetDate1.setTime(new Date());
targetDate1.add(Calendar.DAY_OF_MONTH, -1);
Calendar targetDate2 = Calendar.getInstance();
targetDate2.setTime(new Date());
targetDate2.add(Calendar.YEAR, 2);
// yesterday
Date validityBeginDate = targetDate1.getTime();
// in 2 years
Date validityEndDate = targetDate2.getTime();
X509v3CertificateBuilder certGen = new X509v3CertificateBuilder(
new X500Name(issueSubject), BigInteger.valueOf(System
.currentTimeMillis()), validityBeginDate,
validityEndDate, request.getSubject(),
request.getSubjectPublicKeyInfo());
certGen.addExtension(X509Extension.keyUsage, true, new KeyUsage(
KeyUsage.digitalSignature | KeyUsage.keyEncipherment));
ContentSigner sigGen = new JcaContentSignerBuilder(
AppConfigurations.SHA256_RSA).setProvider(
AppConfigurations.PROVIDER).build(privateKey);
X509Certificate issuedCert = new JcaX509CertificateConverter()
.setProvider(AppConfigurations.PROVIDER).getCertificate(
certGen.build(sigGen));
return issuedCert;
The generated certificate commonn name is,
Common Name: mdm(88094024-2372-4c9f-9c87-fa814011c525)
Issuer: mycompany Root CA (93a7d1a0-130b-42b8-bbd6-728f7c1837cf), None
[1] - https://developer.apple.com/library/ios/documentation/NetworkingInternet/Concept ual/iPhoneOTAConfiguration/Introduction/Introduction.html
Maybe you are looking for
-
DVD Problems on Mac Mini Server
I am installing a Mac Mini Server box and have two problems with the External MacAir DVD drive. 1. It won't boot the install DVD - Yes I held down the 'C' key through the boot sequence. 2. I have changed all disk insertion events (in System Preferenc
-
it says connect to itunes and then says you need to restore your iphone, so i restore it and then it says 'preparing to restore iphone' and has said that for 8 hours then it says it cant be done, what do i do?
-
Hi All, As per SAP standard scenario for intercompany returns flow 1. RE(return order type ) to RE( Invoice) - possible 2. LR(returns delivery type ) to IG(intercompany return invoice type) But we need --based on delivery both invoices means - 1.
-
Hi I am using N97 when i use web it reduces the phone memory , I tried to chane to mass memory but not getting that way to change the memory usage it reduces phone memory then mobile runs slower How to change web browsing memory from phone to mass
-
Switching computers, is it possible to transfer all my song ratings?
I am in the process of swapping all my content on to a new laptop, I have transferred my mp3 files across but would also like to keep the ratings I painstakingly amasses through the years - this is important because I ahve a number of playlists set u