Anyconnect and client certificates for dynamic access policies (dap)

Similar Messages

• AnyConnect and client certificate

  Hi,
  I was looking at 'BRKSEC-3033 - Advanced AnyConnect Deployment' on Ciscovirtuallive.
  On that session the presenter says that:
  "Issuer of client certificate may not be the same as the issuer of the ASA certificate."
  With my basic PKI understanding :-),  anyone know why you cant have the same certificate issuer? 
  It's a good presentation, can recommend it.
  BR
  Micke

  Hello Mikael,
  You DO can have the same certificate issuer!!
  I think he said it was an option to not have it with AnyConnect but as your PKI understanding  states you do can have it like that.
  Regards,
  Julio
  Do rate all the helpful posts

• How to install IPSec Client Certificate for Apple products (iPad,iPhoe and Mac)

  We need  Ipsec vpn client authentication with certificate (instead of pre-shared key). We tested the same with Windows client and its works fine. However when we used the same certificates with Apple products (iPad, iPhoe and Mac) it doesnt work.
  We have two types of certificates installed on the client from the CA server.
  One is the root certificate with the extenstion .cer
  and the other one is client certificate with the extension of .pfx (personal informaiton exchange)
  We can not find a proper document to install certificates and client configuration for iPad,iPhoe and Mac. We need to know what type of certificates needed, what are the certificate formats and how to install etc.
  Appreciate if someone has implemented this and share any documents.
  thanks

  This will be helpful for you :-
  http://images.apple.com/iphone/business/docs/iOS_Certificates_Mar12.pdf
  Manish

• What is the option client certificate for user authentication used for?

  Hi All,
  I have to work on a FTPS - XI -SAP scenario.
  I can see an option for client certificate for user authentication when security is enabled for the FTP adapter. what exactly is this option used for?
  P.S: I went through sap help but couldnt quite understand.

  Thanks a lot Mark.
  So for a FTPS -> XI -> SAP scenario the following settings are required.
  1. I have to create a certificate in Visual Admin for the XI server , send a csr to a CA and get it signed by them, and i have to add this to the ssl_service view.
  2. I have to hand over the public key to the FTPS server & this key will be used for encryption of the file
  the above 2 steps are mandatory.
  If i choose to use the client certificate option , i have to get the client certificate from the FTPS server and add it into the TrustedCAs list. This certificate is just to imply that the client is what it claims to be.
  Will this certificate be used for encryption?
  To make it clear let me put it this way. The certificate created in the XI Server is used for encryption and also for ascertaining that the its what it claims to be.
  The clients certificate option is used only to make sure that the client is what its claiming to be & this is not used for encryption?

• JDBC Thin Connections with SSL and client certificates

  Hi ,
  we are going have a look at JDBC Thin Connections with SSL and client certificates.
  I have two questions:
  1. Is it possible to use SSL connections from JDBC Thin Driver and which release of the driver introduced it
  2. Is it possible to use client certificates with JDBC Thin Driver and which release of the driver introduced it
  Thanks for your help
  regards
  Markus Reichert

  I could not reproduce the error after appending the SSL certificate to the certdb.txt file available under $Jinitiator_Home/lib/security folder.
  Steps to add the SSL Certificate:
  1. Run the form with the https mode in the IE Browser.
  2. Security Alert is raised.
  3. Click on the View Certificate button.
  4. In the Certificate Window, click on the Details tab.
  5. Click on the Copy to File button to copy the certificate.
  6. Copy the certificate and append to the certdb.txt file.

• Self Service Requests for OIM Access Policies

  In the absence of a Role Management product, is there a good way to enable OIM End User Self Service to process requests and approvals for OIM Access Policies or OIM Groups?
  Any suggestions are appreciated!
  KC

  Ultimately the group membership will trigger an access policy. The access policy assignment is the goal, the group assignment is the typical method to assign the access policy to the user.
  When creating a dummy resource, I assume that resource would have a lookup on the form to select the group name. Is this what you are suggesting?
  KC

• AnyConnect SSL-client Certificate AND AAA RADIUS

  Hi All,
  I'm trying to setup Anyconnect VPN Phone feature. I have the license, and I have been able to get the phone to authenticate / register etc with a username / password.
  I want to use the cert on the phone, use the CN as the username and just verify that against my ACS server via RADIUS.... Easier said than done. The ASA is grabbing the Username, but for the life of me, i can't get it to send the username over to the RADIUS server. I have enabled all sorts of aaa and radius debugging and just get no output at all...
  Here are some relevant log messages I'm getting:
  Starting SSL handshake with client outside:72.91.xx.xx/42501 for TLSv1 session
  Certificate was successfully validated. serial number: 5C7DB8EB000000xxxxxx, subject name:  cn=CP-7942G-SEP002155551BD7,ou=EVVBU,o=Cisco Systems Inc..
  Certificate chain was successfully validated with warning, revocation status was not checked.
  Tunnel group search using certificate maps failed for peer certificate:  serial number: 5C7DB8EB000000xxxxxx, subject name:  cn=CP-7942G-SEP002155551BD7,ou=EVVBU,o=Cisco Systems Inc., issuer_name:  cn=Cisco Manufacturing CA,o=Cisco Systems.
  Device completed SSL handshake with client outside:72.91.xx.xx/42501
  Group SSLClientProfile: Authenticating ssl-client connection from  72.91.14.42 with username, CP-7942G-SEP002155551BD7, from client  certificate
  Teardown TCP connection 35754 for outside:72.91.xx.xx/42501 to  identity:173.227.xxx.xxx/443 duration 0:00:05 bytes 5473 TCP Reset by  appliance
  Relevant Config:
  tunnel-group SSLClientProfile type remote-access
  tunnel-group SSLClientProfile general-attributes
  authentication-server-group RADIUS
  default-group-policy GroupPolicy1
  tunnel-group SSLClientProfile webvpn-attributes
  authentication aaa certificate
  radius-reject-message
  pre-fill-username ssl-client
  group-alias SSLClientProfile enable
  group-url https://URL enable
  group-policy GroupPolicy1 internal
  group-policy GroupPolicy1 attributes
  wins-server none
  dns-server value <ip1> <ip2>
  vpn-tunnel-protocol ssl-client
  default-domain value xxxxxxxx
  address-pools value VPNPOOL
  aaa-server RADIUS protocol radius
  aaa-server RADIUS (inside) host 192.168.102.242
  key *****
  aaa-server RADIUS (inside) host 192.168.240.242
  key *****
  ASA version 8.4
  What am I doing wrong? It will not send the request to the AAA server, very much frustating me...

  PRogress....
  I changed the authentication to Certificate ONLY and set authorization to be RADIUS... now it's sending the request to my ACS server. Next question: What's the password that's being sent? Is it blank? I've tried the phone's whole username, tried the MAC and tried just the SEP part. No Dice. Thoughts?

• SAN certificate for external access for edge server and reverse proxy

  Hello
  I have a question related to the certificate planning for LYNC 2013 EDGE SERVER .
  For external access and mobile user's , Iwant to enable all the feature for external user's .
  im planning to purchase san certificate ,
  my first question do I need only one SAN for both my edge server and the reverse proxy ?
  my second question about the name's that shoud be added to the certificate ?
  sip.mydomain.com
  av.mydomain.com
  webconf.mydomain.com
  what else I should add ? I want to add the names for all feature access.
  Kind Regards
  MK

  Your Front End Pool should only contain front end servers, does it also contain your edge and back end? If so, this is a misconfiguration.
  If you're planning to implement high availability, you'll want a different internal web services FQDN name than your pool name (unless you load balance the entire pool with a hardware load balancer).
  You'll want your external web services FQDN to be different from your pool name if you want to use the mobile client on the internal network.  Once you've come up with a new and otherwise unused FQDN for this purpose, you'll want that as additional
  SAN on your cert.
  Since you're not using this for the internal certificate, you can also pull admin.mydomain.com and LYNC2013-FE.mydomain.com off of the cert as those are needed internally only. 
  Lyncdiscoverinternal you can leave on if you need your internal mobile clients to not throw certificate errors because they don't trust your internal certificate authority, but this name would then need to be pointed to a reverse proxy or something that
  can present the third party certificate.
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
  SWC Unified Communications
  This forum post is based upon my personal experience and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• How to Use a Certificate for Two Way SSL and another certificate for WS Security Header at Client Console Application(C# Dotnet)

  Hi,
  I want to consume a Java Web service from Dotnet based client Application. The service require one Certificate("abc.PFX") for Two Way SSL purpose and another certificate("xyz.pfx") for WS security purpose to be passed from client Application(Dotnet
  Console based). I tried configuring the App.config of Client application to pass both the certs but getting Error says:
  Could not establish secure channel for SSL/TLS with authority "******aaaa.com"
  Please suggest how to pass both the certs from client Application..

  Hi,
  This problem can be due to an Untrusted certificate. So you need just full permissions to certificates.
  And for more information, you could refer to:
  http://contractnamespace.blogspot.jp/2014/12/could-not-create-secure-channel-fix.html
  Regards

• How to install and use a client certificate for use with https sites on Android?

  I need to be able to install a .p12 client side certificate to be sent to the admin section of my company's site to authenticate me as an employee. In FireFox for PC there is the ability to install this client certificate. In the mobile I cannot figure out how to get this to work.
  I just bought an Asus Transformer Android Tablet running Honeycomb. I have tried the following method below:
  http://support.mozilla.com/en-US/questions/786035
  I get to the screen where I am able to present and choose a certificate but I still get the (Error code: ssl_error_handshake_failure_alert).
  Now that Android is really picking up steam, there needs to be a way to install client side certificates to present to sites requesting them.
  Is there another way to hack the system to allow or install a client side certificate in .p12 format?

  Sorry, there's not a good way to install client certificates in Firefox 4 for Android. A bug has been filed, and any work that we do on adding this feature will be tracked here:
  https://bugzilla.mozilla.org/show_bug.cgi?id=478938

• How to get Client ID and Client Secret for Office App for Word which accessing SharePoint Online

  we currently implementing an Office App for MS Word which access SharePoint list and get data from lists. Our aim is any user can get this app from Office App store and enter their SharePoint URL and browse their own SharePoint lists and use those. When
  I was checking mechanisms which you used to access SharePoint, in some of them have used ClientId and Client Secret to authenticate with SharePoint. I have following questions.
  1.If I want to sell my app using Office app store where can I get those clientId and client secret which is used to  get the access tokens.
  2.Is it possible to create SharePoint app and publish it to SharePoint app store and get clientId and client secret and use it when accessing through office. So users first download our SharePoint app install it to their SharePoint environment then get out
  Office App from Office app store and add it to word. Will this work?

  Hi,
  >> We are planning to develop an Office app to access SharePoint Online and SharePoint on Premise from Microsoft word.
  I’m not very familiar with SharePoint development, so please correct me if I have any misunderstandings about your requirement.
  The basic components of an app for Office are an XML manifest file and the default webpage of your app (server side).
  >> If I'm publishing my Office App for Word in to the Microsoft office app store, how do I get the ClientId and ClientSecret which I need to pass to authenticate with SharePoint online?
  As far as I know, when register your web app to SharePoint Online, you will get the ClientId and ClientSecret from the Azure Active Directory. And you need to store the Client ID and Client
  Secret on the app server side.
  For details, you could reference the article
  Building an Office 365 ASP.NET MVC app.
  >> If ClientId and ClientSecret not providing when we publishing Word Office App to the app store how what the ways which we can use to authenticate with SharePoint using Word Office app?
  You don’t need to provide the ClientId and ClientSecret when publishing your App to App Store. They are stored on your app server side.
  By the way, if you have the question about how to access the SharePoint resource in a Web Application, I will suggest you posting the questions to
  SharePoint Development Forum. For this forum, we mainly discuss the questions about using the Office JavaScript API to develop Apps for Office.
  Regards,
  Jeffrey
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
  Click
  HERE to participate the survey.

• Router WebVPN and client certificate

  Hello!
  In my test lab I can't to make work my webvpn configuration =\
  I have several components: MS AD, MS CS (but without NDES), router 2911 and client computer. Client and router have a certificate from MS CS. In my configuration I use authentication by certificate or aaa (LDAP) and authentication by aaa working good. But authentication by client certificate doesn't work. And my internal https services don't work also -  "Invalid or no certificate", but this strange because I imported CA certificate for this.
  Can you help me make it works?
  My 2911 version:
  Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.1(3)T, RELEASE SOFTWARE (fc1)
  My Config:
  aaa authentication login webvpn group ldap local
  ip local pool webvpn 192.168.200.1 192.168.200.254
  bind authenticate root-dn cn=webvpn,ou=staff,dc=domain,dc=com password P@ssw0rd
  webvpn gateway vpn
  ip address <ip address> port 4443
  ssl trustpoint root-ca
  inservice
  webvpn install svc flash0:/webvpn/anyconnect-dart-win-2.5.3055-k9.pkg sequence 1
  webvpn context employee
  ssl authenticate verify all
  login-message "VPN Portal"
  policy group policy1
     url-list "inside"
     functions svc-enabled
     filter tunnel VPN-SPLIT
     svc address-pool "webvpn" netmask 255.255.255.0
     svc default-domain "domain.com"
     svc keep-client-installed
     svc split dns "domain.com"
     svc split include 192.168.0.0 255.255.0.0
     svc dns-server primary 192.168.1.1
     svc dns-server secondary 192.168.1.2
     citrix enabled
  virtual-template 1
  default-group-policy policy1
  aaa authentication list webvpn
  gateway vpn
  authentication certificate
  username-prefill
  ca trustpoint root-ca
  user-profile location flash0:/userprof
  inservice
  crypto pki trustpoint root-ca
  enrollment terminal
  revocation-check none
  rsakeypair root-ca
  I imported certificate from pkcs12 with CA certificate.
  From my debug (this is happend then i try to access to my webvpn portal and I choose my certificate from MS CS for access)
  Jun  5 11:22:39: WV: validated_tp :  cert_username :  matched_ctx :
  Jun  5 11:22:39: WV: failed to get sslvpn appinfo from opssl
  Jun  5 11:22:39: WV: failed to get sslvpn appinfo from opssl
  Jun  5 11:22:39: WV: Error: No certificate validated for the client
  Can anybody explain me why it doesn't work?

  Hi,
  did you find any solution for this? As I am in it seems the same situation now.
  I am testing it with Cisco 2911 - IOS version 151-3.T4 and last anyconnect client for Android (Samsung Galaxy S III mobile)
  Thanx for any advice/help
  Pavel

• Lync 2010 : Using same FQDN and IP address for SIP access Edge, Web Conferencing Edge, A/V Edge

  Hi Friends,
  Please assist on below query.
  Will it possible to use the same FQDN in Lync Edge? Since it has different Port numbers for each service, one public IP  for all FQDN for access will save me purchasing multiple Certificates for SANs
  FQDN
  IP Address
  Port
  Map to
  Sip.domain.com
  12.34.34.34
  5061 (TLS)
   SIP Access Edge
  Sip.domain.com
  12.34.34.34
  444(TLS
  Web Conferencing Edge
  Sip.domain.com
  12.34.34.34
  443(TCP
  A/V Edge
  I have a wildcard SSL purchased already and for this purpose I need to purchase more certificates per SAN if unique FQDN required.
  Thank You.

  Yes, although a wildcard entry only will not work entirely for all Lync clients and versions.
  I would suggest something like this:
  Edge External
  CN: sip.domain.com
  SAN: sip.domain.com, webconf.domain.com
  Reverse Proxy Listener(s)
  CN: lyncwebexternal.domain.com
  SAN: lyncwebexternal.domain.com, *.domain.com
  The wilcard entrty can replace the SimpleURLs (meet, dialin) but some clients (like any Lync Phone Edition devices prior to the June 2012 firmware) do not support wildcard entries so providing the external web services FQDN is required.  also never
  put the wildcard etry in the Common Name as devices/client that do not support wildcard entries may be tripped up there and then never even look at the SAN field.
  A cheaper alternative (although not typically recommended, this does work) would be to use a single certificate for both servers, like this:
  Edge/RP Combo Cert
  CN: sip.domain.com
  SAN: sip.domain.com, webconf.domain.com, lyncwebexternal.domain.com, *.domain.com
  Jeff Schertz | Microsoft Solutions Architect - Polycom | Lync MVP

• ASA Dynamic Access Policies Issues

  Hi
  I have created a simple DAP to match a specific tunnel group (AAA attribute) and also to match endpoint attributes matching AnyConnect client version 3.1.xx and OS as Win7. When i test the DAPs on ASDM, i see that the custom one i created is selected. However when i actually connect from a client matching the specified AAA and endpoint attributes, the selected DAP is the default one. My aim is to be able to match custom DAPs for different connection profiles (plan to configure more later) so i can then set the action on the default DAP to terminate but i seem to be stuck on this.
  I have looked at my config over and again and i guess if the solution could bite me, it would have but i can't seem to find what i need to do to fix this.
  Appreciate any and every help here
  Seyi
  ========
  Test DAP
  ========
  DAP_TRACE: DAP_open: 778B5E18
  DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["grouppolicy"]="POLICY-RSA"
  DAP_TRACE: name = aaa["cisco"]["grouppolicy"], value = "POLICY-RSA"
  DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["tunnelgroup"]="POLICY-RSA"
  DAP_TRACE: name = aaa["cisco"]["tunnelgroup"], value = "POLICY-RSA"
  DAP_TRACE: dap_add_to_lua_tree:endpoint["anyconnect"]["clientversion"]="3.1.03103"
  DAP_TRACE: name = endpoint["anyconnect"]["clientversion"], value = "3.1.03103"
  DAP_TRACE: dap_add_to_lua_tree:endpoint["os"]["version"]="Windows 7"
  DAP_TRACE: name = endpoint["os"]["version"], value = "Windows 7"
  DAP_TRACE: Selected DAPs: ,POLICY-RSA
  DAP_TRACE: dap_process_selected_daps: selected 1 records
  DAP_TRACE: dap_aggregate_attr: rec_count = 1
  DAP_TRACE: dap_comma_str_fcn: [,] 1 128
  DAP_TRACE: DAP_close: 778B5E18
  ========================
  Actual Client Connection
  ========================
  DAP_TRACE: DAP_open: 79E0EA38
  DAP_TRACE: Username: user1, aaa.cisco.grouppolicy = POLICY-RSA
  DAP_TRACE: Username: user1, aaa.cisco.username = user1
  DAP_TRACE: Username: user1, aaa.cisco.username1 = user1
  DAP_TRACE: Username: user1, aaa.cisco.username2 =
  DAP_TRACE: Username: user1, aaa.cisco.tunnelgroup = POLICY-RSA
  DAP_TRACE: Username: user1, DAP_add_SCEP: scep required = [FALSE]
  DAP_TRACE: Username: user1, DAP_add_AC:
  endpoint.anyconnect.clientversion="3.1.03103";
  endpoint.anyconnect.platform="win";
  DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["grouppolicy"]="POLICY-RSA"
  DAP_TRACE: name = aaa["cisco"]["grouppolicy"], value = "POLICY-RSA"
  DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["username"]="user1"
  DAP_TRACE: name = aaa["cisco"]["username"], value = "user1"
  DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["username1"]="user1"
  DAP_TRACE: name = aaa["cisco"]["username1"], value = "user1"
  DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["username2"]=""
  DAP_TRACE: name = aaa["cisco"]["username2"], value = ""
  DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["tunnelgroup"]="POLICY-RSA"
  DAP_TRACE: name = aaa["cisco"]["tunnelgroup"], value = "POLICY-RSA"
  DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["sceprequired"]="false"
  DAP_TRACE: name = aaa["cisco"]["sceprequired"], value = "false"
  DAP_TRACE: dap_add_to_lua_tree:endpoint["application"]["clienttype"]="AnyConnect"
  DAP_TRACE: name = endpoint["application"]["clienttype"], value = "AnyConnect"
  DAP_TRACE: dap_install_endpoint_data_to_lua:endpoint.anyconnect.clientversion="3.1.03103"
  DAP_TRACE: name = endpoint.anyconnect.clientversion, value = "3.1.03103"
  DAP_TRACE: dap_install_endpoint_data_to_lua:endpoint.anyconnect.platform="win"
  DAP_TRACE: name = endpoint.anyconnect.platform, value = "win"
  DAP_TRACE: Username: user1, Selected DAPs:
  DAP_TRACE: dap_process_selected_daps: selected 0 records
  DAP_TRACE: Username: user1, dap_aggregate_attr: rec_count = 1
  DAP_TRACE: Username: user1, Selected DAPs: DfltAccessPolicy
  DAP_TRACE: Username: user1, DAP_close: 79E0EA38

  Hi Seyi,
  The problem lies here if you check the ouput of the debug dap trace of the client Pc which is as follow
  DAP_TRACE: dap_install_endpoint_data_to_lua:endpoint.anyconnect.clientversion="3.1.03103"
  DAP_TRACE: name = endpoint.anyconnect.clientversion, value = "3.1.03103"
  DAP_TRACE: dap_install_endpoint_data_to_lua:endpoint.anyconnect.platform="win"
  DAP_TRACE: name = endpoint.anyconnect.platform, value = "win"
  DAP_TRACE: Username: user1, Selected DAPs:
  DAP_TRACE: dap_process_selected_daps: selected 0 records
  DAP_TRACE: Username: user1, dap_aggregate_attr: rec_count = 1
  DAP_TRACE: Username: user1, Selected DAPs: DfltAccessPolicy
  I don't see it looking for OS version Check.
  Ideally it should and this entry should have been there in the debug dap trace
  endpoint["os"]["version"], value = "Windows 7
  And in the DAP policy that you have created you have mentioned 2 end point attributes to be checked which are as follow
  endpoint.anyconnect.clientversion, value = "3.1.03103
  endpoint["os"]["version"], value = "Windows 7
  Since it is not matching both the enpoint attributes it is falling on the
  DfltAccessPolicy
  Please let me know the host scan image that you have got.
  Try with the hostscan_3.1.03103-k9.pkg.
  And then check.
  HTH
  Regards
  Raj Kumar

• UTL_HTTP and client certificate request

  I am hoping that someone can help me. We have a web site that we need to hit and pull the html code back from the pages and we have the code to get what we need but the website now has an option where it requests a client certificate from a user for authentication or if you cancel the request it will then ask you for username and password. I cannot figure out how to submit a cancel on the client certificate request so that my application can submit the username and password authentication. Does anyone have an idea or example to do this? Also if you submit a bad certificate it will prompt you for authentication. So if someone knows how to submit client certificates that would be helpful as well.
  Thanks in advance.

  I've never faced this issue but you might want to look at using UTL_TCP rather than UTL_HTTP.
  http://www.psoug.org/reference/utl_tcp.html