RADIUS, CERTIFICATES, and a newb....

Ok,
So for the past like 5 hours I have been trying to get my RADIUS Server to work with my Airport Extreme.
I have a Self-Signed Root Certificate from my leopard server. I have RADIUS setup to use that cert. It works fine on the server, but I have no clue how to get the certificate from there onto the client machines.
I see the certificate in Server Admin, but thats where I am stuck...
Hopefully someone can help me out here!!
Thanks,
Greg

I've been disappointed with RADIUS and I've switched to WPA2 Personal until improvements are made or someone can provide clear instructions on how to make it work in both Leopard and Windows XP. By work I mean login credentials are actually used and DHCP service is provided without turning Airport on and off several times. I haven't been able to establish a connection through Windows XP. If you don't use Fast User switching or use manual TCP/IP configuration (or have more patience than me), the RADIUS service might be satisfactory.
Here's a method to get your get your certificate to a client computer. I can't help with a more efficient method for large numbers of clients. Login as administrator on the client computer and open a terminal.
Replace admin with the shortname of your admin if it differs and myserver and mydomain of course.
ssh [email protected]
Replace * with the name of your certificate.
rsync -av /etc/certificates/*.crt [email protected]:"~/Desktop"
Double click the *.crt file on the desktop and follow through the dialogs to add it to system keychain.

Similar Messages

AnyConnect SSL-client Certificate AND AAA RADIUS

Hi All,
I'm trying to setup Anyconnect VPN Phone feature. I have the license, and I have been able to get the phone to authenticate / register etc with a username / password.
I want to use the cert on the phone, use the CN as the username and just verify that against my ACS server via RADIUS.... Easier said than done. The ASA is grabbing the Username, but for the life of me, i can't get it to send the username over to the RADIUS server. I have enabled all sorts of aaa and radius debugging and just get no output at all...
Here are some relevant log messages I'm getting:
Starting SSL handshake with client outside:72.91.xx.xx/42501 for TLSv1 session
Certificate was successfully validated. serial number: 5C7DB8EB000000xxxxxx, subject name: cn=CP-7942G-SEP002155551BD7,ou=EVVBU,o=Cisco Systems Inc..
Certificate chain was successfully validated with warning, revocation status was not checked.
Tunnel group search using certificate maps failed for peer certificate: serial number: 5C7DB8EB000000xxxxxx, subject name: cn=CP-7942G-SEP002155551BD7,ou=EVVBU,o=Cisco Systems Inc., issuer_name: cn=Cisco Manufacturing CA,o=Cisco Systems.
Device completed SSL handshake with client outside:72.91.xx.xx/42501
Group SSLClientProfile: Authenticating ssl-client connection from 72.91.14.42 with username, CP-7942G-SEP002155551BD7, from client certificate
Teardown TCP connection 35754 for outside:72.91.xx.xx/42501 to identity:173.227.xxx.xxx/443 duration 0:00:05 bytes 5473 TCP Reset by appliance
Relevant Config:
tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
authentication-server-group RADIUS
default-group-policy GroupPolicy1
tunnel-group SSLClientProfile webvpn-attributes
authentication aaa certificate
radius-reject-message
pre-fill-username ssl-client
group-alias SSLClientProfile enable
group-url https://URL enable
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
wins-server none
dns-server value <ip1> <ip2>
vpn-tunnel-protocol ssl-client
default-domain value xxxxxxxx
address-pools value VPNPOOL
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 192.168.102.242
key *****
aaa-server RADIUS (inside) host 192.168.240.242
key *****
ASA version 8.4
What am I doing wrong? It will not send the request to the AAA server, very much frustating me...

PRogress....
I changed the authentication to Certificate ONLY and set authorization to be RADIUS... now it's sending the request to my ACS server. Next question: What's the password that's being sent? Is it blank? I've tried the phone's whole username, tried the MAC and tried just the SEP part. No Dice. Thoughts?

Radius certificate problems...

Hello,
I am using AirPort Extreme's with Radius configured in Mac OS X Server 10.6. Authenticating works, but only with a certificate error on the clients. So I purchased a certificate and installed it (including the intermediate certificate in the System Keychain. But I keep getting a certificate error, on my iPhone for example I get a display with: "Not Verified", however in the server Certificates page it says: "This certificate is valid". When I use the same certificate on the Web service with SSL, there seems to be no problem at al. See http://www.sslshopper.com/ssl-checker.html?hostname=api.serverdensity.com#hostna me=core.hondsrugcollege.nl
+I tried several certificates: Comodo, Thawte and now GeoTrust. Neither worked, with Radius. Not with iPhone, not with Windows clients. With Windows clients I got this error when connecting via Radius:+
+The Credentials provided by the server could not be validated. We recommend that you terminate the connection and contact your administrator with the information provided in the details. You may still connect but doing so exposes you to security risk by a possible rogue server.+
+Radius Server: core.hondsrugcollege.nl+
+Root CA: GeoTrust Global CA+
+The server "core.hondsrugcollege.nl" presented a valid certificate issued by "GeoTrust Global CA", but "GeoTrust Global CA" is not configured as a valid trust anchor for this profile. Further, the server "core.hondsrugcollege.nl" is not configured as a valid NPS server to connect to for this profile.+
What should I do to troubleshoot this?
Message was edited by: Cybex

One of the key terms I can see in your post is 'Trust Anchor'. Have a search around about this and it may just shed some light.
In a windows wireless client setup using 802.1x you may notice a screen in the wireless profile setup with a tick box saying 'Validate Server Certificate'. Underneath there you need to select the Trusted Root Authority certificate to use to validate the certificate you have installed. There must be something similar in MacOS and iOS. Alternatively you could untick the 'validate...' check box and the problem should go away, but you are likely reducing security by doing this.
Sorry i cant help with specifics but hopefully I've pointed you in a direction that can solve the issue.
Message was edited by: AdventureMatt
Message was edited by: AdventureMatt

Radius certificate

Is there a method for adding a radius certificate without using profile manager?
I used to under System Preferences:Network:802.1x be able to hit a plus sign and add a system or login cert.
Plus button is gone
Thanks,
Ben

I don't know that OD would help, I have od set-up and radius working on my 10.6 clients to our new lion server as was. I can't get brand new lion clients to work. Worse yet upgraded lion clients work fine.
Another admin set-up a wifi network profile to use with the profile manager. It has the wrong settings and I can't seem to figure out how to remove the erroneous wifi network.

Why SharePoint 2013 Hybrid need SAN certificates and what SAN needs ?

I've read this article of technet, but I couldn't undarstand requied values of SubjectAltname.
https://technet.microsoft.com/en-us/library/b291ea58-cfda-48ec-92d7-5180cb7e9469(v=office.15)#AboutSecureChannel
For example, if I build following servers, what SAN needs ?
It is happy to also tell me why.
[ServerNames]
AD DS Server:DS01
AD FS Server:FS01
Web Application Proxy Server:PRX01
SharePoint Server(WFE):WFE01
SharePoint Server(APL):APL01
SQL Server:DB01
[AD DS Domain Name]
contoso.local
(Please be assumed that above all servers join this domain)
[Site collection strategy]
using a host-named site collection
[Primary web application URL]
https://sps.contoso.com
Thanks.

Hi,
From your description, my understanding is that you have some doubts about SAN.
If you have a SAN, you can leverage it to make SharePoint
a little easier to manage and to tweak SharePoint's performance. From a management standpoint, SANs make it easy to adjust the size and number of SharePoint's hard disks. What you could refer to this blog:
http://windowsitpro.com/sharepoint/best-practices-implementing-sharepoint-san. You could find what SAN needs from part “Some
SAN Basics” in this blog.
These articles may help you understand SAN:
https://social.technet.microsoft.com/Forums/office/en-US/ea4791f6-7ec6-4625-a685-53570ea7c126/moving-sharepoint-2010-database-files-to-san-storage?forum=sharepointadminprevious
http://blogs.technet.com/b/saantil/archive/2013/02/12/san-certificates-and-sharepoint.aspx
http://sp-vinod.blogspot.com/2013/03/using-wildcard-certificate-for.html
Best Regard
Vincent Han
TechNet Community Support

Multiple additional SIP domains - certificate and DNS requirements

We've setup Lync 2010 Enterprise in our organisation and have successfully enabled a couple of thousand users.
This is working successfully internally, externally and through Lync Mobile.
However, we've only enabled users who are using the main company domain for SMTP and SIP addresses aaaaa_group.com (so all nice and easy so far!)
In other words, user A has a primary SMTP and SIP address of
UserA@aaaaa_group.com
However, due to numerous mergers and acquisitions over the years, we have quite a lot of users who have other primary SMTP addresses e.g. bbbbb_co.uk, ccccc_company.com, ddddd_ltd.co.uk, de.ccccc_company.com etc etc
There must be in excess of 40 to 50
of these other domains in use as primary SMTP addresses.
(Nearly all
these users have secondary SMTP addresses of aaaaa_group.com).
I have been told to approach this from a best practices point of view and give all users a SIP address that matches their primary SMTP address and calculate how much it will cost to buy certificates to cover enabling every user for Lync on all these domains.
I know from reading that wilcard certificates are considered to be a bad thing generally with Lync, especially if using Lync Mobility as the phone Lync clients don't accept them.
Wilcard certificates aside, what are the names that will I need to add to my SAN certificates? Presumably sip.domain.com, access.domain.com, meet.domain.com, dialin.domain.com, edge.domain.com, autodiscover.domain.com, lyncdiscover.domain.com
The potential cost of all these names is frankly getting pretty scary considering we currently use Verisign for all our cert requirements, and they charge like a wounded bull. However, I still need to report back with a cost of doing this, no matter
what it is.
Any thoughts/comments would be very welcome. :-)

Actually the Mobility clients for mobile devices (cell phones, tablets) DO support wildcard entries in the certificates, it's the Lync Phone Edition client (desktop handset devices) which does not work with wildcards. So you may be able to use wildcards,
but do plenty of research on how to approach this. Here are some articles to get started:
http://blog.schertz.name/2011/02/wildcard-certificates-in-lync-server/
http://blog.schertz.name/2011/02/lync-phone-edition-incompatible-wildcard-certificates/
That said, if you decide to skip the wildcard approach then you do NOT need to add additional entries for ALL FQDN types, only some.
For both the Edge Server external certificate and any internal Front End certificate you'll need to add the 'sip' FQDN for every domain to the SAN field.
sip.domain1.com, sip.domain2.com, sip.domain3.com, etc
The Front End certificate will also need the lyncdiscover and lyncdiscoverinternal
FQDNs, and the Reverse Proxy certificate will require the lyncdiscover
FQDNs.
For Exchange Server you'll need to an autodiscover.domainX.com record as well, although this can also be covered by the wildcard entry. The remainder of names (web conferencing, external web services, dialin, meet, etc.) can all remain in the primary
SIP domain only as these FQDNs will be passed in-band to the clients after they have successfully signed-in to Lync. Unless you need users to all user their own domain names for the SimpleURLs (which it doesn't not sound like in your scenario) then you'd
have to add all those as well.
So if you are not supporting any Lync Phone Edition devices I would try going with the wildcard route first to see how well things work. And even if you do have some of those devices you could simply add the 40-50
sip.domain.com FQDNs to both the FE and Edge certificate but still use a wildcard entry for the mobility clients, SimpleURls, etc. Just make sure that the certificates Common Name (e.g. Subject Name) is NOT the wildcard entry, use the primary
domain name entry in the CN and then place the wildcard entries in the SAN field. It is also best practice to duplicate the CN as a SAN field entry for the widest range of support by all clients.
For example:
Edge Server external certificate
Common Name: sip.domain1.com
Subject Alternative Name: sip.domain1.com, *.domain1.com, *.domain2.com, *.domain3.com, *.domain4.com,
etc...
Jeff Schertz | Microsoft Solutions Architect - Polycom | Lync MVP

Since the most recent Firefox update 3.6.8 by banking institution no longer shows as having a secure encrypted connection, however, my bank assures me all is well with their certificates and that is a problem with the new Firefox browser update, can you g

Since the most recent Firefox update 3.6.8 my banking institution no longer shows as having a secure encrypted connection, however, my bank assures me all is well with their certificates and that is a problem with the new Firefox browser update, can you give me some idea why it is doing this?
== This happened ==
Every time Firefox opened
== Right after the new Firefox update

Hello Anne.
Can you please try it in a new (temporary) Firefox profile and see if the issue is still present? See [http://support.mozilla.com/en-US/kb/Managing+profiles this article] to know how to create a new Firefox profile. Please report back the results.

Config certificate and log issues

I config certificate and use it to connect ipsec vpn ， I just config
jinan-neusoft(config)#ip domain-name neusoft.com
jinan-neusoft(config)#crypto key generate rsa general-keys
The name for the keys will be: jinan-neusoft.neusoft.com
Choose the size of the key modulus in the range of 360 to 4096 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]:
% Generating 512 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 0 seconds)
jinan-neusoft(config)#
Nov 16 01:05:44.435: RSA key size needs to be atleast 768 bits for ssh version 2
jinan-neusoft(config)#
Nov 16 01:05:44.435: %SSH-5-ENABLED: SSH 1.5 has been enabled
jinan-neusoft(config)#crypto pki trustpoint CA1
jinan-neusoft(ca-trustpoint)# enrollment url http://59.44.43.217:80
jinan-neusoft(ca-trustpoint)# revocation-check crl
jinan-neusoft(ca-trustpoint)# rsakeypair DMVPN-SY-KEY
jinan-neusoft(ca-trustpoint)# auto-enrol
jinan-neusoft(config)#crypto pki authenticate CA1
Certificate has the following attributes:
       Fingerprint MD5: D5F9D56B 4D9A4260 43F21D39 811D7AD5
      Fingerprint SHA1: 1E49B228 DD57F4DB 43DD2C2F 03870C18 840DA12A
% Do you accept this certificate? [yes/no]: y
Trustpoint CA certificate accepted.
then I have log issues like below ，even I config auto-enroll , I don t get certificate pending information from my certificate server ，
my device is C3925 and ios is c3900-universalk9-mz.SPA.151-4.M4.bin ，how to deal with it ，top players ， THX~~~~
Nov 16 01:07:54.871: %PKI-6-CERTRENEWAUTO: Renewing the router certificate for trustpoint CA1
Nov 16 01:07:54.951: %CRYPTO-6-AUTOGEN: Generated new 512 bit key pair
Nov 16 01:07:55.115: CRYPTO_PKI: Certificate Request Fingerprint MD5: 939AF8C1 854DDA90 8FE03058 5635468F
Nov 16 01:07:55.115: CRYPTO_PKI: Certificate Request Fingerprint SHA1: 50F869D2 C0814317 7EB2ECC9 90461F3A 353E7089
Nov 16 01:07:55.119: %SYS-3-INVMEMINT: Invalid memory action (malloc) at interrupt level
-Traceback= 5564384z 68B3034z 945A8D0z 6D05DF0z 6
jinan-neusoft(config)#D05F70z 6D06B50z 6D07268z 6D43018z 6D25044z 6D1988Cz 6D4CCE0z 91F0154z 91F0CC4z 91F0DA4z 4ACB9F4z 4127784z
Nov 16 01:07:55.119: %SYS-2-MALLOCFAIL: Memory allocation of 40 bytes failed from 0x6D05DEC, alignment 0
Pool: Processor Free: 731143916 Cause: Interrupt level allocation
Alternate Pool: None Free: 0 Cause: Interrupt level allocation
-Process= "<interrupt level>", ipl= 3
-Traceback= 5564384z 6892328z 68B3064z 945A8D0z 6D05DF0z 6D05F70z 6D06B50z 6D07268z 6D43018z 6D25044z 6D1988Cz 6D4CCE0z 91F0154z 91F0CC4z 91F0DA4z 4ACB9F4z
Nov 16 01:07:55.119: %SYS-3-INVMEMINT: Invalid memory action (malloc) at interrupt level
-Traceback= 5564384z 68B3034z 945A8D0z 6D05DF0z 6D05F70z 6D06B50z 6D07268z 6D4308Cz 6D25044z 6D1988Cz 6D4CCE0z 91F0154z 91F0CC4z 91F0DA4z 4ACB9F4z 4127784z
jinan-neusoft(config)#
Nov 16 01:08:09.719: %PKI-6-CERTRENEWAUTO: Renewing the router certificate for trustpoint CA1
Nov 16 01:08:09.879: CRYPTO_PKI: Certificate Request Fingerprint MD5: 939AF8C1 854DDA90 8FE03058 5635468F
Nov 16 01:08:09.879: CRYPTO_PKI: Certificate Request Fingerprint SHA1: 50F869D2 C0814317 7EB2ECC9 90461F3A 353E7089
jinan-neusoft(config)#
Nov 16 01:08:09.883: %SYS-3-INVMEMINT: Invalid memory action (malloc) at interrupt level
-Traceback= 5564384z 68B3034z 945A8D0z 6D05DF0z 6D05F70z 6D06B50z 6D07268z 6D43018z 6D25044z 6D1988Cz 6D4CCE0z 91F0154z 91F0CC4z 91F0DA4z 4ACB9F4z 4127784z
Nov 16 01:08:09.883: %SYS-3-INVMEMINT: Invalid memory action (malloc) at interrupt level
-Traceback= 5564384z 68B3034z 945A8D0z 6D05DF0z 6D05F70z 6D06B50z 6D07268z 6D4308Cz 6D25044z 6D1988Cz 6D4CCE0z 91F0154z 91F0CC4z 91F0DA4z 4ACB9F4z 4127784z
jinan-neusoft(config)# Nov 16 01:07:54.871: %PKI-6-CERTRENEWAUTO: Renewing the router certificate for trustpoint CA1
Nov 16 01:07:54.951: %CRYPTO-6-AUTOGEN: Generated new 512 bit key pair
Nov 16 01:07:55.115: CRYPTO_PKI: Certificate Request Fingerprint MD5: 939AF8C1 854DDA90 8FE03058 5635468F
Nov 16 01:07:55.115: CRYPTO_PKI: Certificate Request Fingerprint SHA1: 50F869D2 C0814317 7EB2ECC9 90461F3A 353E7089
Nov 16 01:07:55.119: %SYS-3-INVMEMINT: Invalid memory action (malloc) at interrupt level
-Traceback= 5564384z 68B3034z 945A8D0z 6D05DF0z 6
jinan-neusoft(config)#D05F70z 6D06B50z 6D07268z 6D43018z 6D25044z 6D1988Cz 6D4CCE0z 91F0154z 91F0CC4z 91F0DA4z 4ACB9F4z 4127784z
Nov 16 01:07:55.119: %SYS-2-MALLOCFAIL: Memory allocation of 40 bytes failed from 0x6D05DEC, alignment 0
Pool: Processor Free: 731143916 Cause: Interrupt level allocation
Alternate Pool: None Free: 0 Cause: Interrupt level allocation
-Process= "<interrupt level>", ipl= 3
-Traceback= 5564384z 6892328z 68B3064z 945A8D0z 6D05DF0z 6D05F70z 6D06B50z 6D07268z 6D43018z 6D25044z 6D1988Cz 6D4CCE0z 91F0154z 91F0CC4z 91F0DA4z 4ACB9F4z
Nov 16 01:07:55.119: %SYS-3-INVMEMINT: Invalid memory action (malloc) at interrupt level
-Traceback= 5564384z 68B3034z 945A8D0z 6D05DF0z 6D05F70z 6D06B50z 6D07268z 6D4308Cz 6D25044z 6D1988Cz 6D4CCE0z 91F0154z 91F0CC4z 91F0DA4z 4ACB9F4z 4127784z
jinan-neusoft(config)#
Nov 16 01:08:09.719: %PKI-6-CERTRENEWAUTO: Renewing the router certificate for trustpoint CA1
Nov 16 01:08:09.879: CRYPTO_PKI: Certificate Request Fingerprint MD5: 939AF8C1 854DDA90 8FE03058 5635468F
Nov 16 01:08:09.879: CRYPTO_PKI: Certificate Request Fingerprint SHA1: 50F869D2 C0814317 7EB2ECC9 90461F3A 353E7089
jinan-neusoft(config)#
Nov 16 01:08:09.883: %SYS-3-INVMEMINT: Invalid memory action (malloc) at interrupt level
-Traceback= 5564384z 68B3034z 945A8D0z 6D05DF0z 6D05F70z 6D06B50z 6D07268z 6D43018z 6D25044z 6D1988Cz 6D4CCE0z 91F0154z 91F0CC4z 91F0DA4z 4ACB9F4z 4127784z
Nov 16 01:08:09.883: %SYS-3-INVMEMINT: Invalid memory action (malloc) at interrupt level
-Traceback= 5564384z 68B3034z 945A8D0z 6D05DF0z 6D05F70z 6D06B50z 6D07268z 6D4308Cz 6D25044z 6D1988Cz 6D4CCE0z 91F0154z 91F0CC4z 91F0DA4z 4ACB9F4z 4127784z
jinan-neusoft(config)#

I do not have the answer but have exactly the same issue, looks as if it is a bug of some kind :
Cisco CISCO3945-CHASSIS (revision 1.0) with C3900-SPE150/K9 with 980992K/67584K bytes of memory.
Processor board ID FCZ163371P3
6 FastEthernet interfaces
3 Gigabit Ethernet interfaces
1 terminal line
1 Virtual Private Network (VPN) Module
DRAM configuration is 72 bits wide with parity enabled.
255K bytes of non-volatile configuration memory.
250880K bytes of ATA System CompactFlash 0 (Read/Write)
System image file is "flash0:c3900-universalk9-mz.SPA.151-4.M4.bin"
Nov 16 07:37:16.611: CRYPTO_PKI: Signature Certificate Request Fingerprint MD5: 358FF778 7C2E66AE 895BF088 BF022442
.Nov 16 07:37:16.615: CRYPTO_PKI: Signature Certificate Request Fingerprint SHA1: 5F7A4300 20B62132 83D08C6E 2D315DF4 51EFE94D
.Nov 16 07:37:16.623: %SYS-3-INVMEMINT: Invalid memory action (malloc) at interrupt level
-Traceback= 5564384z 68B3034z 945A8D0z 6D05DF0z 6D05F70z 6D06B50z 6D07268z 6D4308Cz 6D25044z 6D1988Cz 6D4CCE0z 91F0154z 91F0CC4z 91F0DA4z 4ACB9F4z 412
7784z
.Nov 16 07:37:16.623: %SYS-2-MALLOCFAIL: Memory allocation of 72 bytes failed from 0x6D05DEC, alignment 0
Pool: Processor Free: 704933204 Cause: Interrupt level allocation
Alternate Pool: None Free: 0 Cause: Interrupt level allocation
-Process= "", ipl= 3
-Traceback= 5564384z 6892328z 68B3064z 945A8D0z 6D05DF0z 6D05F70z 6D06B50z 6D07268z 6D4308Cz 6D25044z 6D1988Cz 6D4CCE0z 91F0154z 91F0CC4z 91F0DA4z 4AC
B9F4z Nov 16 07:37:16.611: CRYPTO_PKI: Signature Certificate Request Fingerprint MD5: 358FF778 7C2E66AE 895BF088 BF022442
.Nov 16 07:37:16.615: CRYPTO_PKI: Signature Certificate Request Fingerprint SHA1: 5F7A4300 20B62132 83D08C6E 2D315DF4 51EFE94D
.Nov 16 07:37:16.623: %SYS-3-INVMEMINT: Invalid memory action (malloc) at interrupt level
-Traceback= 5564384z 68B3034z 945A8D0z 6D05DF0z 6D05F70z 6D06B50z 6D07268z 6D4308Cz 6D25044z 6D1988Cz 6D4CCE0z 91F0154z 91F0CC4z 91F0DA4z 4ACB9F4z 412
7784z
.Nov 16 07:37:16.623: %SYS-2-MALLOCFAIL: Memory allocation of 72 bytes failed from 0x6D05DEC, alignment 0
Pool: Processor Free: 704933204 Cause: Interrupt level allocation
Alternate Pool: None Free: 0 Cause: Interrupt level allocation
-Process= "", ipl= 3
-Traceback= 5564384z 6892328z 68B3064z 945A8D0z 6D05DF0z 6D05F70z 6D06B50z 6D07268z 6D4308Cz 6D25044z 6D1988Cz 6D4CCE0z 91F0154z 91F0CC4z 91F0DA4z 4AC
B9F4z

ISE EAP-Chaining with machine, certificate and domain credentials

Good morning,
A customer wants to do the following for their corporate wireless users (all clients will be customer assets):
Corp. wireless to authenticate with 2-factor authentication:
•1. Certificate
•2. Machine auth thru AD
•3. Domain creds
When client authenticates, they want to match on 2 out of the 3 conditions before allowing access.
Clients are Windows laptops and corporate iPhones.
Certs can be issued thru GPO and MDM for iPhones
Client supplicant on laptops is native Windows - which I understand is a compatibility issue from this thread: https://supportforums.cisco.com/thread/2185627
My first question is: can this be done?
Second question: how would i implement this from an AuthC/AuthZ perspective?
Thanks in advance,
Andrew

You can do this configuring anyconnect with NAM modules on endpoints! But I don't make sense configure some clients with certificate and others with domains credentials...
For your information, I'm actually configuring EAP-Chaining on ISE 1.2 and i'm gotting some problems. The first one I got with windows 8, for some reason windows was sending wrong information about the machine password but I solved the problem installing a KB on windows 8 machines (http://support.microsoft.com/kb/2743127/en-us). The second one I got with windows 7 that are sending information correctly about domain but wrong information about user credentials, on ISE logs I can see that windows 7 are sending user "anonymous" + machine name on the first longin... after windows 7 start if I remove the cable and connect again the authentication and authorization happen correctly. I still invastigate the root cause and if there is a KB to solve the problem as I did with windows 8.
Good luck and keep in touch.
http://support.microsoft.com/kb/2743127/en-us

Trying to set up encrypted mails but I'm confused about certificates and keys

Hello all,
My first foray into encrypted emails and I'm already confused! To begin with, I'm trying to exchange mails with one other person, who I believe uses Outlook. So far:
He's sent me his certificate (although I thought I would receive his public key) which is a file called smime.p7m. I don't know what to do with this.
I've successfully followed the instructions at https://support.mozilla.org/en-US/kb/digitally-signing-and-encrypting-messages. When I start a new mail, I can either go to the Enigmail menu and switch on encryption / digital signing and it seems fine, or I can go to the dropdown on the S/MIME button and it says "You need to set up one or more personal certificates before you can use this security feature." Are these two different ways of doing the same thing (in which case I'll use the one that works!) or not?
As you can see, I'm getting confused between keys and certificates! If some kind person could take a minute to explain what my next steps are, that would be much appreciated. I couldn't find anything on the Thunderbird support pages, though I know I need to send him my public key.
Thanks in advance.
Stuart.

Stuart8, good find, that article.
I found the main disincentive to using the built-in S/MIME capability is that it's not immediately obvious where to get your certificate and keys. Most providers want $$$ for them, which is natural enough if they are actually going to validate you in some way. I did at one time have a Thawte certificate and even enough WOT vouches to be a low-grade WOT Attorney.
Once you have your key, it's a bit of a pfaff to install it into Thunderbird. You'll probably find that S/MIME is the default in business correspondence, since many businesses operate their own mail servers, ftp servers and so on and probably have an arrangement to generate self-issued certificates or to buy them on a commercial basis from a CA.
Enigmail/OpenPGP doesn't require any financial outlay on your part, but is harder to get your keys properly validated since there's not much of a formal WOT nor a reliable central registry. You generate your own keys and it's pretty much all based on mutual trust.
Since the two systems are incompatible, you need to have set up the same as whatever your correspondent is using.
I suspect that you have discovered that it's a two-way process. In order for a correspondent to send you an encrypted message, you must both be using the same system, and he must have your public key to encrypt his message, and you'll need his in order to reply with encryption. So yes, he needs to send you his public key for you to send to him, but what he sends to you needs YOUR public key.
Obviously, signing messages is a useful halfway house. I believe that you sign with your private key, and the recipient will have to download your public key to validate your signature. Whilst a signature doesn't safeguard your privacy, it goes some way to proving that the message came from who it says it came from and that it hasn't been altered in transit. (I really can't understand why banks, lawyers, insurance companies haven't picked up on these encryption and signing schemes. Perhaps they actually prefer all those awful phone calls where you need to struggle to recall supposedly unforgettable names and dates! ;-) )
In practice, I find that if you sign a message to an outfit who don't know what to do with it, their numpty anti-virus system will probably barf on the signature which it thinks is executable code and therefore must be a virus or worm. :-(

When i try to access my hotmail, i always get "view certificate" and i can not get to my email.

every time i try to get to my hotmail, i get a message "view certificate" and it would not allow me to get to email from hotmail. and if i can sign in rarely, i can not sign out.
== This happened ==
Every time Firefox opened
== i try to sign in to my email

My fiancee had the same problem with her laptop. Try making sure your time/date are set correctly. Other than that, I'm not sure. It worked for her, hope it works for you! :)

Step Through a List of .p12 Certificates and Their Passwords to Extract Property Data

This is a follow-up question to my previous thread:
http://social.technet.microsoft.com/Forums/en-US/58ca3098-e06d-419a-9465-1ae7973e1c04/extract-p12-property-information-via-powershell?forum=ITCG
I understand how to extract the information for a certificate one-by-one, but I am wanting to write a powershell script that will step through a list of certificates and a list of their corresponding network passwords in order to extract their property
data (i.e. expiration date, etc). Any suggestions?
jrv helped me with the first part of my question by providing this script:
PS C:\> $filename='c:\temp2\certs\jpd.cer'
PS C:\> $cert=[System.Security.Cryptography.X509Certificates.X509Certificate2]::CreateFromSignedFile($filename)
PS C:\scripts> $cert|fl
Happy Hunting!

HINT:
dir *.cer | %{ [System.Security.Cryptography.X509Certificates.X509Certificate2]::CreateFromSignedFile($_)}
¯\_(ツ)_/¯

How to apply for a certificate and install saprouter SNC

I am in the middle of an R2R build.
I need first to apply for a certificate and then to install saprouter (on an amd64 win server)
So I can download oss notes...
Please help,
Thankyou,

The exact URL to apply for a certificate is service.sap.com/tcs. On the right side, you will see a link to SAProuter Certificates. Please use this to request a certificate.
Regards

My company loaded profiles onto my iPad for email and calendars.. There is also a signing certificate and a certificate. What are these for? Additionally are they able to monitor apps and usage, ie Internet usage when it is not on their wifi?

My company loaded profiles onto my iPad for email and calendars.. There is also a signing certificate and a certificate. What are these for?
Additionally are they able to monitor apps and usage, ie Internet usage when it is not on their wifi?
I do not have any VPN enabled?

Do you happen to have an Android? If so and depending on what version there is a great data usage analyse tool built-in. See if you can go to Settings -> Data Usage from there you can pick a current or previous billing cycle and then use the vertical sliders to select a date range and it will filter the usage data per app to show you exactly what app(s) were using data during that time frame.

Creating SSL certificate and configuring it with JBOSS 4.0.1

I have to post some data to a secured site from my application.
For this, I am creating connection to that site using URLConnection and to send data I create OutputStream using the connection.
But, while creating the stream it is showing SSLException and message is No trusted certificate found.
For this, I need to create SSL certificate (mostly using keytool command) and configure it with my application server which is JBOSS 4.0.1
Now, my problem is that I don't know the exact steps to create a certificate and configure it with JBOSS. Please provide the steps in detail.

I think you have this back to front. Unless this exception came from the server, in which case it is misconfigured, you don't have to create a certificate, you have to import the server's certificate, or that of one of its signers, into the client's truststore, and tell Java where the truststore is if it's in a non-standard location.
See http://java.sun.com/j2se/1.5.0/docs/guide/security/jsse/JSSERefGuide.html. You'll have to ask about the JBoss part in a JBoss forum.

RADIUS, CERTIFICATES, and a newb....

Similar Messages

Maybe you are looking for