Certificates for IPSEC vpn clients in ASA 8.0

Hello!
I have configured MS CA and i setup vpn client and ASA 7.0 to make tunnel with certificates.
Same configuration does not work with ASA 8.0 I get error
CRYPTO_PKI: Checking to see if an identical cert is
already in the database...
CRYPTO_PKI: looking for cert in handle=d4bb2888, digest=
b8 e5 74 97 f3 bf 25 1c 2e e5 21 3e d1 93 d6 15 | ..t...%...!>....
CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND
CRYPTO_PKI: Cert not found in database.
CRYPTO_PKI: Looking for suitable trustpoints...
CRYPTO_PKI: Found a suitable authenticated trustpoint CA1.
CRYPTO_PKI(make trustedCerts list)CRYPTO_PKI:check_key_usage: Incorrect KeyUsage
(40)
CRYPTO_PKI: Certificate validation: Failed, status: 1873. Attempting to retrieve
revocation status if necessary
ERROR: Certificate validation failed. Peer certificate key usage is invalid, ser
ial number: 250F3ECE0000000009AF, subject name: cn=xxxxx,ou=xxxx,o=xxxxx,c=
xx
CRYPTO_PKI: Certificate not validated
Why the key usage is invalid? What certificate template must be used in MS CA in order to get a regular key usage?
The CA enrollement is terminal.
THANKS!

The cert needs to have the Digital Signature key usage set.
Not sure what templates are available on MS CA, but it should be something like "Ipsec user" I suppose.
To make ASA 8 behave the same as ASA 7 (i.e. disable th check on the cert's key usage), configure:
crypto ca trustpoint
ignore-ipsec-keyusage

Similar Messages

  • Configurate cisco ipsec vpn client at asa 5505 version 8.4

    Hi dear. I want to configurate cisco ipsec vpn client at asa 5505. At my asa the software version is 8.4.
    please provide me a link or some material to config ipsec vpn client at asa 5505 version 8.4
    thank you.

    are you looking for vpn client .pcf file or the configuration on ASA (ASDM) ?
    what version of vpn client ?

  • Support IPSec VPN Client in ASA Multiple Context Mode

    I've looked at under "Cisco ASA Series CLI Configuration Guide, 9.0" on "Configuring Multiple Context Mode", it says
    "IPsec sessions—5 sessions. (The maximum per context.) ".  Does it mean in ASA Multiple Contest Mode support IPSec VPN Client? I just want to confirm it because I can't seem find any doc that clearly spell it out.  I'll appreciate anyone who can clarify it.
    Thank Jason.
    ( Please direct me to the right group if I'm not for the first time I post it in the Cisco support forum)

    This is from the v9.3 config-guide:
    Unsupported Features
    Multiple context mode does not support the following features:
    Remote access VPN. (Site-to-site VPN is supported.)

  • User from certificate with Cisco VPN client and ASA (and radius)

    Hello,
    we are trying to migrate a vpn client connection from GROUP to certificate. We want that client uses the user from the certificate and doesn't ask user, only password. Is it possible? Now, with user certificate, you can connect as another user if you know the user and the password of the other user with your own certifcate.
    Thanks!
    Santiago.

    mrbacklash wrote:
    Ok with that being said will the MBA 11.6 1.4ghz have the guts to make it run mostly internet based programs over the VPN connection?
    I think if you are running apps over the Internet the bottleneck will be the Internet and your VPN bandwidth. Your computer can certainly execute faster than Internet communications.
    Besides, Internet or remote applications run on the remote server. All your local computer does is local processing of the data if necessary.
    Message was edited by: BobTheFisherman

  • Cisco Jabber Client for Windows 9.7 Can't Connect to Other IPSec VPN Clients Over Clustered ASAs

    Environment:
    2 x ASA 5540s (at two different data centers) configured as a VPN Load Balancing Cluster
    Both ASAs are at version 8.4(5)6
    IPSec VPN Client version: 5.0.07.440 (64-bit)
    Jabber for Windows v9.7.0 build 18474
    Issue:
      If I am an IPSec VPN user…
       I can use Jabber to another IPSec VPN user that is connected to the same ASA appliance.
       I can’t use Jabber to another IPSec VPN user that is connected to the different ASA appliance that I am connected to.
    In the hub-and-spoke design, where the VPN ASA is a hub, and the VPN client is a spoke; if you have two hubs clustered together, how does one spoke communicate with another spoke on the other hub in the cluster? (How to allow hairpinning to the other ASA)

    Portu,
    Thanks for your quick reply.
    Unfortunately, I do not have access to the ASA logs nor would I be permitted to turn on the debug settings asked for above.  I might be able to get the logs but it will take awhile and I suspect they wouldn't be helpful as this ASA supports thousands of clients, therefore, separating out my connection attempts from other clients would be difficult.
    I can, though, do whatever you want on the Linux router.  Looking over the firewall logs at the time of this problem, I don't see anything that looks suspicious such as dropped packets destined for the Windows client.
    As I said in my original post, I'm not a networking expert - by any means - but I am willing to try anything to resolve this.  (But I might need a bit of handholding if I need to set up a  wireshark andor tcpdump.)
    Thanks again.

  • Cisco Jabber Client for Windows 9.7 Can't Connect IPSec VPN Clients over two ASAs

    Environment:
    2 x ASA 5540s (at two different data centers) configured as a VPN Load Balancing Cluster
    Both ASAs are at version 8.4(5)6
    IPSec VPN Client version: 5.0.07.440 (64-bit)
    Jabber for Windows v9.7.0 build 18474
    Issue:
      If I am an IPSec VPN user…
       I can use Jabber to another IPSec VPN user that is connected to the same ASA appliance.
       I can’t use Jabber to another IPSec VPN user that is connected to the different ASA appliance that I am connected to.
    In the hub-and-spoke design, where the VPN ASA is a hub, and the VPN client is a spoke; if you have two hubs clustered together, how does one spoke communicate with another spoke on the other hub in the cluster? (How to allow hairpinning to the other ASA)

    Portu,
    Thanks for your quick reply.
    Unfortunately, I do not have access to the ASA logs nor would I be permitted to turn on the debug settings asked for above.  I might be able to get the logs but it will take awhile and I suspect they wouldn't be helpful as this ASA supports thousands of clients, therefore, separating out my connection attempts from other clients would be difficult.
    I can, though, do whatever you want on the Linux router.  Looking over the firewall logs at the time of this problem, I don't see anything that looks suspicious such as dropped packets destined for the Windows client.
    As I said in my original post, I'm not a networking expert - by any means - but I am willing to try anything to resolve this.  (But I might need a bit of handholding if I need to set up a  wireshark andor tcpdump.)
    Thanks again.

  • Certificate authentication for Cisco VPN client

    I am trying to configure the cisco VPN client for certificate authentication on my ASA 5512-X. I have it setup currently for group authentication with shared pass. This works fine. But in order for you to pass pci compliance you cannot allow aggresive mode for ikev1. the only way to disable aggresive mode (and use main mode) is to use certificate authentication for the vpn client. I know that some one out there must being doing this already. I am goign round and round with this. I am missing some thing.
    I have tried as I might and all I can get are some cryptic error messages from the client and nothing on the firewall. IE failed to genterate signature, invalid remote signature id. I have tried using different signatures (one built on ASA and bought from Godaddy, and one built from Windows CA, and one self signed).
    Can some one provide the instructions on seting this up (asdm or cli). Can this even be done? I would love to just use the AnyConnect client but I believe you need licensing for that since our system states only 2 allowed. Thank you for your help.                    

    Dear Doug ,
              What is asa code your are running on ASA hardware , for cisco anyconnect you need have Code 8.0 on your hardware with cisco anyconnect essential license enabled .Paste your me show version i will help you whether you need to procure license for your hardware . By default your hardware will be shipped with any connect essential license when you have order your hardware with asa code above 8.0 .
    With Any connect essential you are allowed to use upto total VPN peers allowed based on your hardware
    1)  What is the AnyConnect Essentials License?
    The Anyconnect Essentials is a license that allows you to connect up to your 'Total VPN Peers"  platform limit with AnyConnect.  Without an AnyConnect Essentials license, you are limited to the 'SSLVPN Peers' limit on your device.  With the Anyconnect Essentials License, you can only use Anyconnect for SSL - other features such as CSD (Cisco Secure Desktop) and using the SSLVPN portal page for anything other than launching AnyConnect are restricted.
    You can see your limits for the various licensing by issuing the 'show version' command on your ASA.
    Licensed features for this platform:
    Maximum Physical Interfaces    : Unlimited
    Maximum VLANs                  : 150      
    Inside Hosts                   : Unlimited
    Failover                       : Active/Active
    VPN-DES                        : Enabled  
    VPN-3DES-AES                   : Enabled  
    Security Contexts              : 2        
    GTP/GPRS                       : Disabled 
    SSL VPN Peers                  : 2        
    Total VPN Peers                : 750      
    Shared License                 : Disabled
    AnyConnect for Mobile          : Disabled 
    AnyConnect for Cisco VPN Phone : Disabled 
    AnyConnect Essentials          : Disabled 
    Advanced Endpoint Assessment   : Disabled 
    UC Phone Proxy Sessions        : 2        
    Total UC Proxy Sessions        : 2        
    Botnet Traffic Filter          : Disabled
    Licensed features for this platform:
    Maximum Physical Interfaces    : Unlimited
    Maximum VLANs                  : 150      
    Inside Hosts                   : Unlimited
    Failover                       : Active/Active
    VPN-DES                        : Enabled  
    VPN-3DES-AES                   : Enabled  
    Security Contexts              : 2        
    GTP/GPRS                       : Disabled 
    SSL VPN Peers                  : 2        
    Total VPN Peers                : 750      
    Shared License                 : Disabled
    AnyConnect for Mobile          : Disabled 
    AnyConnect for Cisco VPN Phone : Disabled 
    AnyConnect Essentials          :  Enabled
    Advanced Endpoint Assessment   : Disabled 
    UC Phone Proxy Sessions        : 2        
    Total UC Proxy Sessions        : 2        
    Botnet Traffic Filter          : Disabled
    Any connect VPN Configuration .
    http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808efbd2.shtml

  • IPSEC VPN clients can't reach internal nor external resources

    Hi!
    At the moment running ASA 8.3, with fairly much experience of ASA 8.0-8.2, I can't get the NAT right for the VPN clients.
    Im pretty sure it's not ACL's, although I might be wrong.
    The problem is both VPN users can reach internal resources, and vpn users cant reach external resources.
    # Issue 1.
    IPSEC VPN client cannot reach any local (inside) resources. All interfaces are pretty much allow any any, I suspect it has to do with NAT.
    When trying to access an external resource, the "translate_hits" below are changed:
    Auto NAT Policies (Section 2)
    1 (outside) to (outside) source dynamic vpn_nat interface
       translate_hits = 37, untranslate_hits = 11
    When trying to reach a local resource (10.0.0.0/24), the translate hits below are changed:
    5 (inside) to (outside) source static any any destination static NETWORK_OBJ_172.16.32.0_24 NETWORK_OBJ_172.16.32.0_24
        translate_hits = 31, untranslate_hits = 32
    Most NAT, some sensitive data cut:
    Manual NAT Policies (Section 1)
    <snip>
    3 (inside) to (server) source static NETWORK_OBJ_1.2.3.0_29 NETWORK_OBJ_1.2.3.0_29
        translate_hits = 0, untranslate_hits = 0
    4 (inside) to (server) source static any any destination static NETWORK_OBJ_10.0.0.240_28 NETWORK_OBJ_10.0.0.240_28
        translate_hits = 0, untranslate_hits = 0
    5 (inside) to (outside) source static any any destination static NETWORK_OBJ_172.16.32.0_24 NETWORK_OBJ_172.16.32.0_24
        translate_hits = 22, untranslate_hits = 23
    Auto NAT Policies (Section 2)
    1 (outside) to (outside) source dynamic vpn_nat interface
        translate_hits = 37, untranslate_hits = 6
    Manual NAT Policies (Section 3)
    1 (something_free) to (something_outside) source dynamic any interface
        translate_hits = 0, untranslate_hits = 0
    2 (something_something) to (something_outside) source dynamic any interface
        translate_hits = 0, untranslate_hits = 0
    3 (inside) to (outside) source dynamic any interface
        translate_hits = 5402387, untranslate_hits = 1519419
    ##  Issue 2, vpn user cannot access anything on internet
    asa# packet-tracer input outside tcp 172.16.32.1 12345 1.2.3.4 443
    Phase: 1
    Type: ACCESS-LIST
    Subtype:
    Result: ALLOW
    Config:
    Implicit Rule
    Additional Information:
    MAC Access list
    Phase: 2
    Type: ACCESS-LIST
    Subtype:
    Result: DROP
    Config:
    Implicit Rule
    Additional Information:
    Result:
    input-interface: outside
    input-status: up
    input-line-status: up
    Action: drop
    Drop-reason: (acl-drop) Flow is denied by configured rule
    Relevant configuration snippet:
    interface Vlan2
    nameif outside
    security-level 0
    ip address 1.2.3.2 255.255.255.248
    interface Vlan3
    nameif inside
    security-level 100
    ip address 10.0.0.5 255.255.255.0
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    object network anywhere
    subnet 0.0.0.0 0.0.0.0
    object network something_free
    subnet 10.0.100.0 255.255.255.0
    object network something_member
    subnet 10.0.101.0 255.255.255.0
    object network obj-ipsecvpn
    subnet 172.16.31.0 255.255.255.0
    object network allvpnnet
    subnet 172.16.32.0 255.255.255.0
    object network OFFICE-NET
    subnet 10.0.0.0 255.255.255.0
    object network vpn_nat
    subnet 172.16.32.0 255.255.255.0
    object-group network the_office
    network-object 10.0.0.0 255.255.255.0
    access-list VPN-TO-OFFICE-NET standard permit 10.0.0.0 255.255.255.0
    ip local pool ipsecvpnpool 172.16.32.0-172.16.32.255 mask 255.255.255.0
    ip local pool vpnpool 172.16.31.1-172.16.31.255 mask 255.255.255.0
    nat (inside,server) source static NETWORK_OBJ_1.2.3.0_29 NETWORK_OBJ_1.2.3.0_29
    nat (inside,server) source static any any destination static NETWORK_OBJ_10.0.0.240_28 NETWORK_OBJ_10.0.0.240_28
    nat (inside,outside) source static any any destination static NETWORK_OBJ_172.16.32.0_24 NETWORK_OBJ_172.16.32.0_24
    object network vpn_nat
    nat (outside,outside) dynamic interface
    nat (some_free,some_outside) after-auto source dynamic any interface
    nat (some_member,some_outside) after-auto source dynamic any interface
    nat (inside,outside) after-auto source dynamic any interface
    group-policy companyusers attributes
    dns-server value 8.8.8.8 8.8.4.4
    vpn-tunnel-protocol IPSec
    default-domain value company.net
    tunnel-group companyusers type remote-access
    tunnel-group companyusers general-attributes
    address-pool ipsecvpnpool
    default-group-policy companyusers
    tunnel-group companyusers ipsec-attributes
    pre-shared-key *****

    Hi,
    I don't seem to get a reply from 8.8.8.8 no, kind of hard to tell as it's an iphone. To me, all these logs simply says it works like a charm, but still I can get no reply on the phone.
    asa# ICMP echo request from outside:172.16.32.1 to outside:4.2.2.2 ID=6912 seq=0 len=28
    ICMP echo request translating outside:172.16.32.1/6912 to outside:x.x.37.149/46012
    ICMP echo reply from outside:4.2.2.2 to outside:x.x.37.149 ID=46012 seq=0 len=28
    ICMP echo reply untranslating outside:x.x.37.149/46012 to outside:172.16.32.1/6912
    ICMP echo request from outside:172.16.32.1 to outside:4.2.2.2 ID=6912 seq=256 len=28
    ICMP echo request translating outside:172.16.32.1/6912 to outside:x.x.37.149/46012
    ICMP echo reply from outside:4.2.2.2 to outside:x.x.37.149 ID=46012 seq=256 len=28
    ICMP echo reply untranslating outside:x.x.37.149/46012 to outside:172.16.32.1/6912
    ICMP echo request from outside:172.16.32.1 to outside:4.2.2.2 ID=6912 seq=512 len=28
    ICMP echo request translating outside:172.16.32.1/6912 to outside:x.x.37.149/46012
    ICMP echo reply from outside:4.2.2.2 to outside:x.x.37.149 ID=46012 seq=512 len=28
    ICMP echo reply untranslating outside:x.x.37.149/46012 to outside:172.16.32.1/6912
    asa# show capture capo
    12 packets captured
       1: 08:11:59.097590 802.1Q vlan#2 P0 x.x.37.149 > 4.2.2.2: icmp: echo request
       2: 08:11:59.127129 802.1Q vlan#2 P0 4.2.2.2 > x.x.37.149: icmp: echo reply
       3: 08:12:00.103876 802.1Q vlan#2 P0 x.x.37.149 > 4.2.2.2: icmp: echo request
       4: 08:12:00.133293 802.1Q vlan#2 P0 4.2.2.2 > x.x.37.149: icmp: echo reply
       5: 08:12:01.099253 802.1Q vlan#2 P0 x.x.37.149 > 4.2.2.2: icmp: echo request
       6: 08:12:01.127572 802.1Q vlan#2 P0 4.2.2.2 > x.x.37.149: icmp: echo reply
       7: 08:12:52.954464 802.1Q vlan#2 P0 x.x.37.149 > 4.2.2.2: icmp: echo request
       8: 08:12:52.983866 802.1Q vlan#2 P0 4.2.2.2 > x.x.37.149: icmp: echo reply
       9: 08:12:56.072811 802.1Q vlan#2 P0 x.x.37.149 > 4.2.2.2: icmp: echo request
      10: 08:12:56.101007 802.1Q vlan#2 P0 4.2.2.2 > x.x.37.149: icmp: echo reply
      11: 08:12:59.132897 802.1Q vlan#2 P0 x.x.37.149 > 4.2.2.2: icmp: echo request
      12: 08:12:59.160941 802.1Q vlan#2 P0 4.2.2.2 > x.x.37.149: icmp: echo reply
    asa# ICMP echo request from outside:172.16.32.1 to inside:10.0.0.72 ID=6912 seq=0 len=28
    ICMP echo reply from inside:10.0.0.72 to outside:172.16.32.1 ID=6912 seq=0 len=28
    ICMP echo request from outside:172.16.32.1 to inside:10.0.0.72 ID=6912 seq=256 len=28
    ICMP echo reply from inside:10.0.0.72 to outside:172.16.32.1 ID=6912 seq=256 len=28
    ICMP echo request from outside:172.16.32.1 to inside:10.0.0.72 ID=6912 seq=512 len=28
    ICMP echo reply from inside:10.0.0.72 to outside:172.16.32.1 ID=6912 seq=512 len=28
    ICMP echo request from outside:172.16.32.1 to inside:10.0.0.72 ID=6912 seq=768 len=28
    ICMP echo reply from inside:10.0.0.72 to outside:172.16.32.1 ID=6912 seq=768 len=28
    asa# show capture capi
    8 packets captured
       1: 08:15:44.868653 802.1Q vlan#3 P0 172.16.32.1 > 10.0.0.72: icmp: echo request
       2: 08:15:44.966456 802.1Q vlan#3 P0 10.0.0.72 > 172.16.32.1: icmp: echo reply
       3: 08:15:47.930066 802.1Q vlan#3 P0 172.16.32.1 > 10.0.0.72: icmp: echo request
       4: 08:15:48.040082 802.1Q vlan#3 P0 10.0.0.72 > 172.16.32.1: icmp: echo reply
       5: 08:15:51.028654 802.1Q vlan#3 P0 172.16.32.1 > 10.0.0.72: icmp: echo request
       6: 08:15:51.110086 802.1Q vlan#3 P0 10.0.0.72 > 172.16.32.1: icmp: echo reply
       7: 08:15:54.076534 802.1Q vlan#3 P0 172.16.32.1 > 10.0.0.72: icmp: echo request
       8: 08:15:54.231250 802.1Q vlan#3 P0 10.0.0.72 > 172.16.32.1: icmp: echo reply
    Packet-capture.
    Phase: 1
    Type: CAPTURE
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    MAC Access list
    Phase: 2
    Type: ACCESS-LIST
    Subtype:
    Result: ALLOW
    Config:
    Implicit Rule
    Additional Information:
    MAC Access list
    Phase: 3
    Type: ROUTE-LOOKUP
    Subtype: input
    Result: ALLOW
    Config:
    Additional Information:
    in   172.16.32.1     255.255.255.255 outside
    Phase: 4
    Type: ACCESS-LIST
    Subtype: log
    Result: ALLOW
    Config:
    access-group inside_access_in in interface inside
    access-list inside_access_in extended permit ip any any log
    Additional Information:
    Phase: 5
    Type: IP-OPTIONS
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 6
    Type: INSPECT
    Subtype: np-inspect
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 7     
    Type: DEBUG-ICMP
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 8
    Type: NAT
    Subtype:
    Result: ALLOW
    Config:
    nat (inside,outside) source static any any destination static NETWORK_OBJ_172.16.32.0_24 NETWORK_OBJ_172.16.32.0_24
    Additional Information:
    Static translate 10.0.0.72/0 to 10.0.0.72/0
    Phase: 9
    Type: HOST-LIMIT
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 10
    Type: VPN    
    Subtype: encrypt
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 11
    Type: ACCESS-LIST
    Subtype: log
    Result: ALLOW
    Config:
    access-group outside_access_out out interface outside
    access-list outside_access_out extended permit ip any any log
    Additional Information:
    Phase: 12
    Type: FLOW-CREATION
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    New flow created with id 5725528, packet dispatched to next module
    Result:
    input-interface: inside
    input-status: up
    input-line-status: up
    output-interface: outside
    output-status: up
    output-line-status: up
    Action: allow

  • Cisco IPSec VPN Client and sending a specific Radius A-V value to ACS 5.2

    This setup is to try routing Cisco VPN to either RSA or Entrust from Cisco ACS 5.2, depending on some parameter in incoming AUTH request from Cisco IPSec VPN Client 5.x. Tried playing with pcf files and user names/identity stores, none seems working

    Hi Tony,
    to the best of my knowledge this is currently not possible, but will be once this enhancement is implemented:
    CSCsw31922    Radius upstream VSAs (Tunnel Group,Client type) for VPN policy decisions
    You may want to try and ask in the AAA forum if there is anything you can do on ACS...
    hth
    Herbert

  • Inbuilt cisco IPSEC vpn client and KeyLife Timeout setting...

    Hi Guys
    I am having issues with the in built cisco vpn client on the mac, I am currrently using Mac OSx 10.7.4
    I have a Fortigate 200B device and have setup the IPSec VPN settings to have a keylife of 86400 seconds.
    However the expereince I am having with the mac clients is that after about 50 minutes the users are being asked to re-authencate to the VPN...
    When checkin the debug logs I can see that the peer (mac client) is setting the phase 2 tunnel key lifetime to 3600 seconds which is 1 Hour...
    Usually in IPSec a re-negeotiation process takes place about 10 minutes or so before the key expires..
    My question is where are the VPN settings kept in the Mac... I know it uses Racoon for the IPSec exchange of key and so I would like to tweak the VPN profiles so that the mac sets the lifetime of the key to 86400 instead of 3600 by default...
    Also want to be able to set logging to debug mode for the Racoon application on mac clients.
    Your help is much appreciated
    Kind Regards
    Mohamed

    Hi Tony,
    to the best of my knowledge this is currently not possible, but will be once this enhancement is implemented:
    CSCsw31922    Radius upstream VSAs (Tunnel Group,Client type) for VPN policy decisions
    You may want to try and ask in the AAA forum if there is anything you can do on ACS...
    hth
    Herbert

  • AAA static IP address for RA VPN Client

    Hi,
    my vpn group and VPN POOL  is locally created in Cisco VPN router but users are authenticated through ACS, AAA server via TACACS. Now I want to assign the static ip address to VPN Client. Everything is fine but due to the application problem I want to give them the static Ip address from the VPN Pool. I have greated one pool in AAA server and also configure the client in AAA to get the static ip address but unable to do this. Please help me out how to do this.
    My router is configured for TACACS+. I have checked the user configuration in AAA server to get the static ip address but it is not working. Please help me out how to do this. I cant change Router to Radius but this is my main router which is configured for 160 sites through ISDN and these sites also configured for TACACS+.
    crypto isakmp policy 10
    encr 3des
    authentication pre-share
    group 2 
    crypto isakmp client configuration group Aviation-VPN
    key egntosc
    pool aviation-pool
    acl avi-tunnel
    save-password
    netmask 255.255.255.0
    crypto isakmp profile vpnclient
       match identity group Aviation-VPN
       client authentication list default
       isakmp authorization list Aviation-authorization
       client configuration address respond
    crypto ipsec transform-set aviset esp-3des esp-sha-hmac
    crypto dynamic-map avi 10
    set transform-set aviset
    set isakmp-profile vpnclient
    reverse-route

    Since you're using ACS, I believe the way to do this is to
    go into ACS, and select the username of the user that you want
    to get the static IP. Under that user's setup, there is an option to
    always assign the same IP. Just select that and enter the IP you
    want them to get. - chris

  • Issuing certificates for user and clients from different forest/domain

    Hello,
    at first I would like to say that I have made some researches on this forum and in the Internet overall.
    I have AD Forest with ~10 sites all over the Europe, DFL and FFL is 2008 R2, right now we are migrating site by site from old domain (samba) to AD.
    Last time I have deployed PKI based on offline root CA and 2 Enterprise acting as 2-node Failover Cluster.
    Everything in my AD Forest is OK, I mean, autoenrollment works perfect for users and computers from my forest, 
    now I need to deploy a certificate (for test) to one web-based pbx server in samba domain, there are no trusts etc. Samba domain as well as AD Forest are working on the same network, with routeable subnets in each site, so there is no problem with connectivity,
    What are possible way to achieve this goal? I mean to issue cert to client from different forest, so that this client is able to validate it, validate certificate chain and renew it when needed?
    I have Installed and Configured CE Web Service and CE Policy Web Service. Now I have configured Enrollment Policies on my virtual machine (being part of different domain), I selected username/password authentication, I am able to request certificate, I can
    see all templates which I should see, but when I try to enroll I got an error:
    (translated from my language)A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider
    My root CA cert is added to trusted publishers for computer and user node as well.
    What could be wrong? If you have any ideas or questions, please share or ask. 
    Thank you in advance.

    Everything is clear, I have Certificate Enrollment Web Services installed and configured,
    problem is what i get from certutil - TCAInfo
    ================================================================
    CA Name: COMPANY-HATADCS002-ISSUING-CA
    Machine Name: COMPANYClustGenSvc
    DS Location: CN=COMPANY-HATADCS002-ISSUING-CA,CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=COMPANY,DC=COM
    Cert DN: CN=COMPANY-HATADCS002-ISSUING-CA, DC=COMPANY, DC=COM
    CA Registry Validity Period: 2 Years -- 2016-03-04 12:20
     NotAfter: 2019-02-14 12:44
    Connecting to COMPANYClustGenSvc\COMPANY-HATADCS002-ISSUING-CA ...
    Server "COMPANY-HATADCS002-ISSUING-CA" ICertRequest2 interface is alive (1078ms)
      Enterprise Subordinate CA
    dwFlags = CA_VERIFY_FLAGS_NT_AUTH (0x10)
    dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
    dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
    ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
    HCCE_LOCAL_MACHINE
    CERT_CHAIN_POLICY_NT_AUTH
    -------- CERT_CHAIN_CONTEXT --------
    ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    ChainContext.dwRevocationFreshnessTime: 18 Days, 4 Minutes, 1 Seconds
    SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    SimpleChain.dwRevocationFreshnessTime: 18 Days, 4 Minutes, 1 Seconds
    CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
      Issuer: CN=HATADCS001-COMPANY-ROOT-CA
      NotBefore: 2014-02-14 12:34
      NotAfter: 2019-02-14 12:44
      Subject: CN=COMPANY-HATADCS002-ISSUING-CA, DC=COMPANY, DC=COM
      Serial: 618f3506000000000002
      Template: SubCA
      9e1bea4ffa648e5fe3e9f8c4be3c604c49af04e9
      Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
      Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
        CRL 02:
        Issuer: CN=HATADCS001-COMPANY-ROOT-CA
        ThisUpdate: 2014-02-14 12:16
        NextUpdate: 2024-02-15 00:36
        d7bafb666702565cae940a389eaffef9c919f07a
      Issuance[0] = 1.2.3.4.1455.67.89.5 
    CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
      Issuer: CN=HATADCS001-COMPANY-ROOT-CA
      NotBefore: 2014-02-14 11:55
      NotAfter: 2024-02-14 12:05
      Subject: CN=HATADCS001-COMPANY-ROOT-CA
      Serial: 18517ac8a4695aa74ec0c61b475426a8
      b19b85e0e145da17fc673dfe251b0e2a3aeb05e9
      Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
      Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
      Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
      Issuance[0] = 1.2.3.4.1455.67.89.5 
    Exclude leaf cert:
      5b309c67a8b47c50966088a4d701c8526072c9ac
    Full chain:
      413b91896ba541d252fc9801437dcfbb21d37d91
      Issuer: CN=HATADCS001-COMPANY-ROOT-CA
      NotBefore: 2014-02-14 12:34
      NotAfter: 2019-02-14 12:44
      Subject: CN=COMPANY-HATADCS002-ISSUING-CA, DC=COMPANY, DC=COM
      Serial: 618f3506000000000002
      Template: SubCA
      9e1bea4ffa648e5fe3e9f8c4be3c604c49af04e9
    A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)
    Supported Certificate Templates:
    Cert Type[0]: COMPANYOnlineResponder (COMPANY Online Responder) -- No Access!
    Cert Type[1]: COMPANYWebServer(SSL) (COMPANY WebServer (SSL))
    Cert Type[2]: COMPANYUser(Autoenrollment) (COMPANY User (Autoenrollment))
    Cert Type[3]: COMPANYKeyRecoveryAgents (COMPANY Key Recovery Agents)
    Cert Type[4]: COMPANYEnrollmentAgent(Computer) (COMPANY Enrollment Agent (Computer))
    Cert Type[5]: COMPANYEnrollmentAgent (COMPANY Enrollment Agent)
    Cert Type[6]: COMPANYComputer(Autoenrollment) (COMPANY Computer (Autoenrollment)) -- No Access!
    Validated Cert Types: 7
    ================================================================
    COMPANYClustGenSvc\COMPANY-HATADCS002-ISSUING-CA:
      Enterprise Subordinate CA
      A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)
      Online
    CertUtil: -TCAInfo command completed successfully.
    please put some light on it because it's driving me crazy :/
    Thanks in advance
    one remark: certutil -tcainfo performed on CA directly is 100% OK, no errors regarding 
    "A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)"

  • Generate Certificates for WLC and clients

    Hi Guys
    I've been working acording the following document to integrate my WLC 5508 with LDAP for internal users:
    http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/100590-ldap-eapfast-config.html
    However when I try to generate the device certificate on Windows Server 2012, I see the steps are different, for example when I reach the step 4 (of Generate a Device Certificate for the WLC section), the CA ask me for a Certificate Signing Request instead of Create and submit request to this CA option, as appears in the document.
    How do I get this? 
    Thanks in advance for your support!
    Marcelo

    Hi,
    If you are trying to get a device certificate for WLC, then you may need to use 3rd party software like openSSL for this.
    Below post may help you to see how you can do this
    http://mrncciew.com/2013/04/22/configuring-eap-tls-on-wlc/
    HTH
    Rasika
    *** Pls rate all useful responses ****

  • Certificates for Server and Client to install . Pls advice

    I am doing File --XI --- File scenario with FTPS.
    Currently consider only File -- XI part now.
    We go point by point: for this link:
    https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/964f67ec-0701-0010-bd88-f995abf4e1fc
    Blog says:
    1. In the visual admin of XI make Server Public and Private keys.
    2. In the visual admin of XI make Client Public and Private keys.
    Suppose File Sender System is Server and XI is Client
    Questions:
    a. Do I need make Server Public and Private keys In the visual admin of XI ?
    b. Do I need make Client Public and Private keys In the visual admin of XI ?
    Generic Rule -- system1 sends its public key to system2 and  similarly system2 sends its public key to system1.
    c. For Export keys and Import keys as given in blog
    -- I am not able to get this part given from Page 38 - 41 of this blog.
    Pls advice me
    Regards
    Edited by: Henry A on Mar 3, 2008 1:07 PM
    Edited by: Henry A on Mar 3, 2008 1:08 PM
    Edited by: Henry A on Mar 3, 2008 1:54 PM

    Hi DecaXD,
    thank you for quick response :)
    on the client site i tried to establish the connection to the work repository with the following connection information:
    Login information*:
    Oracle Data Integrator Connection
    Login name = odi_server
    User = SUPERVISOR
    Database connection (Master Repository):
    User = odim
    URL = jdbc:oracle:thin:@<server ip>:1521:orcl
    A work repository could be found, but the connection failed! (?!)
    " ODI-26130: Connection to the repository failed.
    oracle.odi.core.config.NotWorkRepositorySchemaException: ODI-10147: Repository type mismatches.     
    Could not get JDBC Connection; nested exception is java.sql.SQLException: Unable to start the Universal Connection Pool: oracle.ucp.UniversalConnectionPoolException: Invalid SQL-Query for validating the connection (+translated from german into english+) "
    my ODI configuration on the server site (loged in as: odiw):
    topology tab*:
    Physical architecture:
    Technology:
    Definition:
    Dataserver name = oracle_db_11gr2
    User = odiw
    JDBC-URL = jdbc:oracle:thin:@10.168.178.131:1521:orcl
    Datasource:
    Agent = OracleDIAgent
    JNDI-Name = [DataSourceName]
    Agents:
    Definition:
    Name = OracleDIAgent
    Host = <IP of the server>
    Port = 8001
    Webapplicationcontext = oraclediagent
    Datasources:
    Dataserver = oracle_db_11gr2
    JNDI-Name = [DataSourceName]
    Logical architecture:
    Technology:
    Defintion:
    Name = oracle_db_11gr2
    Context = aMIS_dev
    Physical schema = oracle_db_11gr2.ODIW
    Agent:
    Name = OracleDIAgent
    Context = aMIS_dev
    Physical agent = OracleDIAgent
    when i test the connection of the data server (topology>physical architecture>technology>oracle>oracle_db_11gr2) with the OracleDIAgent i receive the
    " ODI-26039: Connection failed.
    oracle.odi.runtime.agent.invocation.InvocationException: javax.naming.NameNotFoundException: Unable to resolve '[DataSourceName]'. Resolved ''; remaining name '[DataSourceName]' "
    since testing the connection on the server site failed in first place, i couldn't test the connection on the client site.

  • Windows Domain Controller certificate for non domain clients

    Hi,
    Is it possible that we can export windows domain certificate and use it for non domain computers without joining domain, so that they can communicate each others without joining domain controller?
    Regards

    Hi,
    Is it possible that we can export windows domain certificate and use it for non domain computers without joining domain, so that they can communicate each others without joining domain controller?
    Not sure that what you want to achieve here.
    However, yes, it is possible to export certificates (with private keys) from domain machines then import them to non-domain machines, and some certificates can even function well based on key usages. Please note that Domain Controller certificates are only
    meaningful to Domain Controllers. Possession of domain certificates doesn’t indicate machines are part of domain.
    Without joining a machine to a domain (or without a trust), the machine is always treated as untrusted by the domain members no matter what kind of certificates it holds.
    Best Regards,
    Amy
    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

Maybe you are looking for