Anyconnect and client certificates for dynamic access policies (dap)
I'm faced with the challenge of rolling out AnyConnect to our clients (which I've done before at another job) but in this case we want to 'NAC' vpn clients... We're still in discussion around the security policy and those details, but I wanted to see if folks on this forum could chime in with their experience on this.
We have a mix of Windows, Linux and MACs that are corporate issued devices that should receive some form of posture checking and then be granted access. Personal devices would also be subjected to some level of posture checking, but if during the initial scan it was deemed that this is not a corporate machine, then that machine would have very limited access.
From what I've read, the OS agnostic route to take is using certificates. I'm looking for design tips or docs that would assist in rolling this out. We do not have a PKI infrastructure today. So some of the questions I have are:
Can the ASA manage all of the client issued certs? From enrollment to revocation?
Or would I look to my Windows infrastructure for that? And if so, how does that integrate with the ASA?
Client certs vs machine certs?
Any advice from high level to low level or partial answers would be appreciated...
Thanks
"Can the ASA manage all of the client issued certs? From enrollment to revocation?"
Yes, please check the Cisco url below, configuration method.
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/cert_cfg.html#wp1067758
Hope that helps.
thanks
Rizwan Rafeek
Similar Messages
-
AnyConnect and client certificate
Hi,
I was looking at 'BRKSEC-3033 - Advanced AnyConnect Deployment' on Ciscovirtuallive.
On that session the presenter says that:
"Issuer of client certificate may not be the same as the issuer of the ASA certificate."
With my basic PKI understanding :-), anyone know why you cant have the same certificate issuer?
It's a good presentation, can recommend it.
BR
MickeHello Mikael,
You DO can have the same certificate issuer!!
I think he said it was an option to not have it with AnyConnect but as your PKI understanding states you do can have it like that.
Regards,
Julio
Do rate all the helpful posts -
How to install IPSec Client Certificate for Apple products (iPad,iPhoe and Mac)
We need Ipsec vpn client authentication with certificate (instead of pre-shared key). We tested the same with Windows client and its works fine. However when we used the same certificates with Apple products (iPad, iPhoe and Mac) it doesnt work.
We have two types of certificates installed on the client from the CA server.
One is the root certificate with the extenstion .cer
and the other one is client certificate with the extension of .pfx (personal informaiton exchange)
We can not find a proper document to install certificates and client configuration for iPad,iPhoe and Mac. We need to know what type of certificates needed, what are the certificate formats and how to install etc.
Appreciate if someone has implemented this and share any documents.
thanksThis will be helpful for you :-
http://images.apple.com/iphone/business/docs/iOS_Certificates_Mar12.pdf
Manish -
What is the option client certificate for user authentication used for?
Hi All,
I have to work on a FTPS - XI -SAP scenario.
I can see an option for client certificate for user authentication when security is enabled for the FTP adapter. what exactly is this option used for?
P.S: I went through sap help but couldnt quite understand.Thanks a lot Mark.
So for a FTPS -> XI -> SAP scenario the following settings are required.
1. I have to create a certificate in Visual Admin for the XI server , send a csr to a CA and get it signed by them, and i have to add this to the ssl_service view.
2. I have to hand over the public key to the FTPS server & this key will be used for encryption of the file
the above 2 steps are mandatory.
If i choose to use the client certificate option , i have to get the client certificate from the FTPS server and add it into the TrustedCAs list. This certificate is just to imply that the client is what it claims to be.
Will this certificate be used for encryption?
To make it clear let me put it this way. The certificate created in the XI Server is used for encryption and also for ascertaining that the its what it claims to be.
The clients certificate option is used only to make sure that the client is what its claiming to be & this is not used for encryption? -
JDBC Thin Connections with SSL and client certificates
Hi ,
we are going have a look at JDBC Thin Connections with SSL and client certificates.
I have two questions:
1. Is it possible to use SSL connections from JDBC Thin Driver and which release of the driver introduced it
2. Is it possible to use client certificates with JDBC Thin Driver and which release of the driver introduced it
Thanks for your help
regards
Markus ReichertI could not reproduce the error after appending the SSL certificate to the certdb.txt file available under $Jinitiator_Home/lib/security folder.
Steps to add the SSL Certificate:
1. Run the form with the https mode in the IE Browser.
2. Security Alert is raised.
3. Click on the View Certificate button.
4. In the Certificate Window, click on the Details tab.
5. Click on the Copy to File button to copy the certificate.
6. Copy the certificate and append to the certdb.txt file. -
Self Service Requests for OIM Access Policies
In the absence of a Role Management product, is there a good way to enable OIM End User Self Service to process requests and approvals for OIM Access Policies or OIM Groups?
Any suggestions are appreciated!
KCUltimately the group membership will trigger an access policy. The access policy assignment is the goal, the group assignment is the typical method to assign the access policy to the user.
When creating a dummy resource, I assume that resource would have a lookup on the form to select the group name. Is this what you are suggesting?
KC -
AnyConnect SSL-client Certificate AND AAA RADIUS
Hi All,
I'm trying to setup Anyconnect VPN Phone feature. I have the license, and I have been able to get the phone to authenticate / register etc with a username / password.
I want to use the cert on the phone, use the CN as the username and just verify that against my ACS server via RADIUS.... Easier said than done. The ASA is grabbing the Username, but for the life of me, i can't get it to send the username over to the RADIUS server. I have enabled all sorts of aaa and radius debugging and just get no output at all...
Here are some relevant log messages I'm getting:
Starting SSL handshake with client outside:72.91.xx.xx/42501 for TLSv1 session
Certificate was successfully validated. serial number: 5C7DB8EB000000xxxxxx, subject name: cn=CP-7942G-SEP002155551BD7,ou=EVVBU,o=Cisco Systems Inc..
Certificate chain was successfully validated with warning, revocation status was not checked.
Tunnel group search using certificate maps failed for peer certificate: serial number: 5C7DB8EB000000xxxxxx, subject name: cn=CP-7942G-SEP002155551BD7,ou=EVVBU,o=Cisco Systems Inc., issuer_name: cn=Cisco Manufacturing CA,o=Cisco Systems.
Device completed SSL handshake with client outside:72.91.xx.xx/42501
Group SSLClientProfile: Authenticating ssl-client connection from 72.91.14.42 with username, CP-7942G-SEP002155551BD7, from client certificate
Teardown TCP connection 35754 for outside:72.91.xx.xx/42501 to identity:173.227.xxx.xxx/443 duration 0:00:05 bytes 5473 TCP Reset by appliance
Relevant Config:
tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
authentication-server-group RADIUS
default-group-policy GroupPolicy1
tunnel-group SSLClientProfile webvpn-attributes
authentication aaa certificate
radius-reject-message
pre-fill-username ssl-client
group-alias SSLClientProfile enable
group-url https://URL enable
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
wins-server none
dns-server value <ip1> <ip2>
vpn-tunnel-protocol ssl-client
default-domain value xxxxxxxx
address-pools value VPNPOOL
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 192.168.102.242
key *****
aaa-server RADIUS (inside) host 192.168.240.242
key *****
ASA version 8.4
What am I doing wrong? It will not send the request to the AAA server, very much frustating me...PRogress....
I changed the authentication to Certificate ONLY and set authorization to be RADIUS... now it's sending the request to my ACS server. Next question: What's the password that's being sent? Is it blank? I've tried the phone's whole username, tried the MAC and tried just the SEP part. No Dice. Thoughts? -
SAN certificate for external access for edge server and reverse proxy
Hello
I have a question related to the certificate planning for LYNC 2013 EDGE SERVER .
For external access and mobile user's , Iwant to enable all the feature for external user's .
im planning to purchase san certificate ,
my first question do I need only one SAN for both my edge server and the reverse proxy ?
my second question about the name's that shoud be added to the certificate ?
sip.mydomain.com
av.mydomain.com
webconf.mydomain.com
what else I should add ? I want to add the names for all feature access.
Kind Regards
MKYour Front End Pool should only contain front end servers, does it also contain your edge and back end? If so, this is a misconfiguration.
If you're planning to implement high availability, you'll want a different internal web services FQDN name than your pool name (unless you load balance the entire pool with a hardware load balancer).
You'll want your external web services FQDN to be different from your pool name if you want to use the mobile client on the internal network. Once you've come up with a new and otherwise unused FQDN for this purpose, you'll want that as additional
SAN on your cert.
Since you're not using this for the internal certificate, you can also pull admin.mydomain.com and LYNC2013-FE.mydomain.com off of the cert as those are needed internally only.
Lyncdiscoverinternal you can leave on if you need your internal mobile clients to not throw certificate errors because they don't trust your internal certificate authority, but this name would then need to be pointed to a reverse proxy or something that
can present the third party certificate.
Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
SWC Unified Communications
This forum post is based upon my personal experience and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs. -
Hi,
I want to consume a Java Web service from Dotnet based client Application. The service require one Certificate("abc.PFX") for Two Way SSL purpose and another certificate("xyz.pfx") for WS security purpose to be passed from client Application(Dotnet
Console based). I tried configuring the App.config of Client application to pass both the certs but getting Error says:
Could not establish secure channel for SSL/TLS with authority "******aaaa.com"
Please suggest how to pass both the certs from client Application..Hi,
This problem can be due to an Untrusted certificate. So you need just full permissions to certificates.
And for more information, you could refer to:
http://contractnamespace.blogspot.jp/2014/12/could-not-create-secure-channel-fix.html
Regards -
How to install and use a client certificate for use with https sites on Android?
I need to be able to install a .p12 client side certificate to be sent to the admin section of my company's site to authenticate me as an employee. In FireFox for PC there is the ability to install this client certificate. In the mobile I cannot figure out how to get this to work.
I just bought an Asus Transformer Android Tablet running Honeycomb. I have tried the following method below:
http://support.mozilla.com/en-US/questions/786035
I get to the screen where I am able to present and choose a certificate but I still get the (Error code: ssl_error_handshake_failure_alert).
Now that Android is really picking up steam, there needs to be a way to install client side certificates to present to sites requesting them.
Is there another way to hack the system to allow or install a client side certificate in .p12 format?Sorry, there's not a good way to install client certificates in Firefox 4 for Android. A bug has been filed, and any work that we do on adding this feature will be tracked here:
https://bugzilla.mozilla.org/show_bug.cgi?id=478938 -
How to get Client ID and Client Secret for Office App for Word which accessing SharePoint Online
we currently implementing an Office App for MS Word which access SharePoint list and get data from lists. Our aim is any user can get this app from Office App store and enter their SharePoint URL and browse their own SharePoint lists and use those. When
I was checking mechanisms which you used to access SharePoint, in some of them have used ClientId and Client Secret to authenticate with SharePoint. I have following questions.
1.If I want to sell my app using Office app store where can I get those clientId and client secret which is used to get the access tokens.
2.Is it possible to create SharePoint app and publish it to SharePoint app store and get clientId and client secret and use it when accessing through office. So users first download our SharePoint app install it to their SharePoint environment then get out
Office App from Office app store and add it to word. Will this work?Hi,
>> We are planning to develop an Office app to access SharePoint Online and SharePoint on Premise from Microsoft word.
I’m not very familiar with SharePoint development, so please correct me if I have any misunderstandings about your requirement.
The basic components of an app for Office are an XML manifest file and the default webpage of your app (server side).
>> If I'm publishing my Office App for Word in to the Microsoft office app store, how do I get the ClientId and ClientSecret which I need to pass to authenticate with SharePoint online?
As far as I know, when register your web app to SharePoint Online, you will get the ClientId and ClientSecret from the Azure Active Directory. And you need to store the Client ID and Client
Secret on the app server side.
For details, you could reference the article
Building an Office 365 ASP.NET MVC app.
>> If ClientId and ClientSecret not providing when we publishing Word Office App to the app store how what the ways which we can use to authenticate with SharePoint using Word Office app?
You don’t need to provide the ClientId and ClientSecret when publishing your App to App Store. They are stored on your app server side.
By the way, if you have the question about how to access the SharePoint resource in a Web Application, I will suggest you posting the questions to
SharePoint Development Forum. For this forum, we mainly discuss the questions about using the Office JavaScript API to develop Apps for Office.
Regards,
Jeffrey
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
Click
HERE to participate the survey. -
Router WebVPN and client certificate
Hello!
In my test lab I can't to make work my webvpn configuration =\
I have several components: MS AD, MS CS (but without NDES), router 2911 and client computer. Client and router have a certificate from MS CS. In my configuration I use authentication by certificate or aaa (LDAP) and authentication by aaa working good. But authentication by client certificate doesn't work. And my internal https services don't work also - "Invalid or no certificate", but this strange because I imported CA certificate for this.
Can you help me make it works?
My 2911 version:
Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.1(3)T, RELEASE SOFTWARE (fc1)
My Config:
aaa authentication login webvpn group ldap local
ip local pool webvpn 192.168.200.1 192.168.200.254
bind authenticate root-dn cn=webvpn,ou=staff,dc=domain,dc=com password P@ssw0rd
webvpn gateway vpn
ip address <ip address> port 4443
ssl trustpoint root-ca
inservice
webvpn install svc flash0:/webvpn/anyconnect-dart-win-2.5.3055-k9.pkg sequence 1
webvpn context employee
ssl authenticate verify all
login-message "VPN Portal"
policy group policy1
url-list "inside"
functions svc-enabled
filter tunnel VPN-SPLIT
svc address-pool "webvpn" netmask 255.255.255.0
svc default-domain "domain.com"
svc keep-client-installed
svc split dns "domain.com"
svc split include 192.168.0.0 255.255.0.0
svc dns-server primary 192.168.1.1
svc dns-server secondary 192.168.1.2
citrix enabled
virtual-template 1
default-group-policy policy1
aaa authentication list webvpn
gateway vpn
authentication certificate
username-prefill
ca trustpoint root-ca
user-profile location flash0:/userprof
inservice
crypto pki trustpoint root-ca
enrollment terminal
revocation-check none
rsakeypair root-ca
I imported certificate from pkcs12 with CA certificate.
From my debug (this is happend then i try to access to my webvpn portal and I choose my certificate from MS CS for access)
Jun 5 11:22:39: WV: validated_tp : cert_username : matched_ctx :
Jun 5 11:22:39: WV: failed to get sslvpn appinfo from opssl
Jun 5 11:22:39: WV: failed to get sslvpn appinfo from opssl
Jun 5 11:22:39: WV: Error: No certificate validated for the client
Can anybody explain me why it doesn't work?Hi,
did you find any solution for this? As I am in it seems the same situation now.
I am testing it with Cisco 2911 - IOS version 151-3.T4 and last anyconnect client for Android (Samsung Galaxy S III mobile)
Thanx for any advice/help
Pavel -
Hi Friends,
Please assist on below query.
Will it possible to use the same FQDN in Lync Edge? Since it has different Port numbers for each service, one public IP for all FQDN for access will save me purchasing multiple Certificates for SANs
FQDN
IP Address
Port
Map to
Sip.domain.com
12.34.34.34
5061 (TLS)
SIP Access Edge
Sip.domain.com
12.34.34.34
444(TLS
Web Conferencing Edge
Sip.domain.com
12.34.34.34
443(TCP
A/V Edge
I have a wildcard SSL purchased already and for this purpose I need to purchase more certificates per SAN if unique FQDN required.
Thank You.Yes, although a wildcard entry only will not work entirely for all Lync clients and versions.
I would suggest something like this:
Edge External
CN: sip.domain.com
SAN: sip.domain.com, webconf.domain.com
Reverse Proxy Listener(s)
CN: lyncwebexternal.domain.com
SAN: lyncwebexternal.domain.com, *.domain.com
The wilcard entrty can replace the SimpleURLs (meet, dialin) but some clients (like any Lync Phone Edition devices prior to the June 2012 firmware) do not support wildcard entries so providing the external web services FQDN is required. also never
put the wildcard etry in the Common Name as devices/client that do not support wildcard entries may be tripped up there and then never even look at the SAN field.
A cheaper alternative (although not typically recommended, this does work) would be to use a single certificate for both servers, like this:
Edge/RP Combo Cert
CN: sip.domain.com
SAN: sip.domain.com, webconf.domain.com, lyncwebexternal.domain.com, *.domain.com
Jeff Schertz | Microsoft Solutions Architect - Polycom | Lync MVP -
ASA Dynamic Access Policies Issues
Hi
I have created a simple DAP to match a specific tunnel group (AAA attribute) and also to match endpoint attributes matching AnyConnect client version 3.1.xx and OS as Win7. When i test the DAPs on ASDM, i see that the custom one i created is selected. However when i actually connect from a client matching the specified AAA and endpoint attributes, the selected DAP is the default one. My aim is to be able to match custom DAPs for different connection profiles (plan to configure more later) so i can then set the action on the default DAP to terminate but i seem to be stuck on this.
I have looked at my config over and again and i guess if the solution could bite me, it would have but i can't seem to find what i need to do to fix this.
Appreciate any and every help here
Seyi
========
Test DAP
========
DAP_TRACE: DAP_open: 778B5E18
DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["grouppolicy"]="POLICY-RSA"
DAP_TRACE: name = aaa["cisco"]["grouppolicy"], value = "POLICY-RSA"
DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["tunnelgroup"]="POLICY-RSA"
DAP_TRACE: name = aaa["cisco"]["tunnelgroup"], value = "POLICY-RSA"
DAP_TRACE: dap_add_to_lua_tree:endpoint["anyconnect"]["clientversion"]="3.1.03103"
DAP_TRACE: name = endpoint["anyconnect"]["clientversion"], value = "3.1.03103"
DAP_TRACE: dap_add_to_lua_tree:endpoint["os"]["version"]="Windows 7"
DAP_TRACE: name = endpoint["os"]["version"], value = "Windows 7"
DAP_TRACE: Selected DAPs: ,POLICY-RSA
DAP_TRACE: dap_process_selected_daps: selected 1 records
DAP_TRACE: dap_aggregate_attr: rec_count = 1
DAP_TRACE: dap_comma_str_fcn: [,] 1 128
DAP_TRACE: DAP_close: 778B5E18
========================
Actual Client Connection
========================
DAP_TRACE: DAP_open: 79E0EA38
DAP_TRACE: Username: user1, aaa.cisco.grouppolicy = POLICY-RSA
DAP_TRACE: Username: user1, aaa.cisco.username = user1
DAP_TRACE: Username: user1, aaa.cisco.username1 = user1
DAP_TRACE: Username: user1, aaa.cisco.username2 =
DAP_TRACE: Username: user1, aaa.cisco.tunnelgroup = POLICY-RSA
DAP_TRACE: Username: user1, DAP_add_SCEP: scep required = [FALSE]
DAP_TRACE: Username: user1, DAP_add_AC:
endpoint.anyconnect.clientversion="3.1.03103";
endpoint.anyconnect.platform="win";
DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["grouppolicy"]="POLICY-RSA"
DAP_TRACE: name = aaa["cisco"]["grouppolicy"], value = "POLICY-RSA"
DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["username"]="user1"
DAP_TRACE: name = aaa["cisco"]["username"], value = "user1"
DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["username1"]="user1"
DAP_TRACE: name = aaa["cisco"]["username1"], value = "user1"
DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["username2"]=""
DAP_TRACE: name = aaa["cisco"]["username2"], value = ""
DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["tunnelgroup"]="POLICY-RSA"
DAP_TRACE: name = aaa["cisco"]["tunnelgroup"], value = "POLICY-RSA"
DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["sceprequired"]="false"
DAP_TRACE: name = aaa["cisco"]["sceprequired"], value = "false"
DAP_TRACE: dap_add_to_lua_tree:endpoint["application"]["clienttype"]="AnyConnect"
DAP_TRACE: name = endpoint["application"]["clienttype"], value = "AnyConnect"
DAP_TRACE: dap_install_endpoint_data_to_lua:endpoint.anyconnect.clientversion="3.1.03103"
DAP_TRACE: name = endpoint.anyconnect.clientversion, value = "3.1.03103"
DAP_TRACE: dap_install_endpoint_data_to_lua:endpoint.anyconnect.platform="win"
DAP_TRACE: name = endpoint.anyconnect.platform, value = "win"
DAP_TRACE: Username: user1, Selected DAPs:
DAP_TRACE: dap_process_selected_daps: selected 0 records
DAP_TRACE: Username: user1, dap_aggregate_attr: rec_count = 1
DAP_TRACE: Username: user1, Selected DAPs: DfltAccessPolicy
DAP_TRACE: Username: user1, DAP_close: 79E0EA38Hi Seyi,
The problem lies here if you check the ouput of the debug dap trace of the client Pc which is as follow
DAP_TRACE: dap_install_endpoint_data_to_lua:endpoint.anyconnect.clientversion="3.1.03103"
DAP_TRACE: name = endpoint.anyconnect.clientversion, value = "3.1.03103"
DAP_TRACE: dap_install_endpoint_data_to_lua:endpoint.anyconnect.platform="win"
DAP_TRACE: name = endpoint.anyconnect.platform, value = "win"
DAP_TRACE: Username: user1, Selected DAPs:
DAP_TRACE: dap_process_selected_daps: selected 0 records
DAP_TRACE: Username: user1, dap_aggregate_attr: rec_count = 1
DAP_TRACE: Username: user1, Selected DAPs: DfltAccessPolicy
I don't see it looking for OS version Check.
Ideally it should and this entry should have been there in the debug dap trace
endpoint["os"]["version"], value = "Windows 7
And in the DAP policy that you have created you have mentioned 2 end point attributes to be checked which are as follow
endpoint.anyconnect.clientversion, value = "3.1.03103
endpoint["os"]["version"], value = "Windows 7
Since it is not matching both the enpoint attributes it is falling on the
DfltAccessPolicy
Please let me know the host scan image that you have got.
Try with the hostscan_3.1.03103-k9.pkg.
And then check.
HTH
Regards
Raj Kumar -
UTL_HTTP and client certificate request
I am hoping that someone can help me. We have a web site that we need to hit and pull the html code back from the pages and we have the code to get what we need but the website now has an option where it requests a client certificate from a user for authentication or if you cancel the request it will then ask you for username and password. I cannot figure out how to submit a cancel on the client certificate request so that my application can submit the username and password authentication. Does anyone have an idea or example to do this? Also if you submit a bad certificate it will prompt you for authentication. So if someone knows how to submit client certificates that would be helpful as well.
Thanks in advance.I've never faced this issue but you might want to look at using UTL_TCP rather than UTL_HTTP.
http://www.psoug.org/reference/utl_tcp.html
Maybe you are looking for
-
Hi My site works well in IE and Firefox but in Opera my html code dispalys up!! No idea why this is happening. Can someone troubleshoot plz?
-
Hi all i need prepare following report, please guide me provide me list of table and how to proceed. Input Parameters: **Plant: - - to - (Multiple options) Storage Loc - - to - (Multiple options) Vendor - - to - (Multiple options) **GRN Date - - to -
-
TS2446 security questions are wrong cant access or change them
Security questions cant be answered cannot access or change them any ideas?
-
Propagating message to calling form
We are converting forms from 5.0 to 6i and in one of our Master-Detail forms, the "FRM-40400: n Transaction saved" is stubbornly showing up on the message queue on the bottom of the form and is also being propagated to back the calling form. Note: Th
-
Authorization in which user receive rights to see specific node in Orgunit
Dear SDN's, We have Organizational Unit Hierarchy. We need to provide authorzation for the Org.Unit Hierarchy in which user receive rights to see specific node in Orgunit hierarchy. For example manager of MIC can see only MIC node, Manager of 0VTH A