Support for Cisco VPN "mutual group authentication"

Hi,
Does anyone know of support plans for Cisco VPN mutual group authentication in the built-in VPN client on MacOSX?
Thanks,
John

I would like to know the answer to this as well.
Thanks,
Josh

Similar Messages

Certificate authentication for Cisco VPN client

I am trying to configure the cisco VPN client for certificate authentication on my ASA 5512-X. I have it setup currently for group authentication with shared pass. This works fine. But in order for you to pass pci compliance you cannot allow aggresive mode for ikev1. the only way to disable aggresive mode (and use main mode) is to use certificate authentication for the vpn client. I know that some one out there must being doing this already. I am goign round and round with this. I am missing some thing.
I have tried as I might and all I can get are some cryptic error messages from the client and nothing on the firewall. IE failed to genterate signature, invalid remote signature id. I have tried using different signatures (one built on ASA and bought from Godaddy, and one built from Windows CA, and one self signed).
Can some one provide the instructions on seting this up (asdm or cli). Can this even be done? I would love to just use the AnyConnect client but I believe you need licensing for that since our system states only 2 allowed. Thank you for your help.

Dear Doug ,
          What is asa code your are running on ASA hardware , for cisco anyconnect you need have Code 8.0 on your hardware with cisco anyconnect essential license enabled .Paste your me show version i will help you whether you need to procure license for your hardware . By default your hardware will be shipped with any connect essential license when you have order your hardware with asa code above 8.0 .
With Any connect essential you are allowed to use upto total VPN peers allowed based on your hardware
1) What is the AnyConnect Essentials License?
The Anyconnect Essentials is a license that allows you to connect up to your 'Total VPN Peers" platform limit with AnyConnect. Without an AnyConnect Essentials license, you are limited to the 'SSLVPN Peers' limit on your device. With the Anyconnect Essentials License, you can only use Anyconnect for SSL - other features such as CSD (Cisco Secure Desktop) and using the SSLVPN portal page for anything other than launching AnyConnect are restricted.
You can see your limits for the various licensing by issuing the 'show version' command on your ASA.
Licensed features for this platform:
Maximum Physical Interfaces    : Unlimited
Maximum VLANs                  : 150
Inside Hosts                   : Unlimited
Failover                       : Active/Active
VPN-DES                        : Enabled
VPN-3DES-AES                   : Enabled
Security Contexts              : 2
GTP/GPRS                       : Disabled
SSL VPN Peers                  : 2
Total VPN Peers                : 750
Shared License                 : Disabled
AnyConnect for Mobile          : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials          : Disabled
Advanced Endpoint Assessment   : Disabled
UC Phone Proxy Sessions        : 2
Total UC Proxy Sessions        : 2
Botnet Traffic Filter          : Disabled
Licensed features for this platform:
Maximum Physical Interfaces    : Unlimited
Maximum VLANs                  : 150
Inside Hosts                   : Unlimited
Failover                       : Active/Active
VPN-DES                        : Enabled
VPN-3DES-AES                   : Enabled
Security Contexts              : 2
GTP/GPRS                       : Disabled
SSL VPN Peers                  : 2
Total VPN Peers                : 750
Shared License                 : Disabled
AnyConnect for Mobile          : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials          : Enabled
Advanced Endpoint Assessment   : Disabled
UC Phone Proxy Sessions        : 2
Total UC Proxy Sessions        : 2
Botnet Traffic Filter          : Disabled
Any connect VPN Configuration .
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808efbd2.shtml

AnyConnect for Cisco VPN Phone Spanless recording?

I'm looking to add this to my existing ASA5520.
Does AnyConnect for Cisco VPN phone support spanless recording?
If not what options are there?
Thanks,
Mike

Hi there,
Did you try
https://tools.cisco.com/SWIFT/LicensingUI/loadDemoLicensee?FormId=717
Cheers!
Rob
"Why not help one another on the way" - Bob Marley

AnyConnect for Cisco VPN Phone demo license

I want to test VPN Phone in the ASA5520,but "show ver" find the "AnyConnect for Cisco VPN Phone : Disabled", www.cisco.com/go/license i didn't find register AnyConnect for Cisco VPN Phone demo license, how to apply for the demo license??
Licensed features for this platform:
Maximum Physical Interfaces    : Unlimited
Maximum VLANs                  : 150
Inside Hosts                   : Unlimited
Failover                       : Active/Active
VPN-DES                        : Enabled
VPN-3DES-AES                   : Enabled
Security Contexts              : 2
GTP/GPRS                       : Disabled
SSL VPN Peers                  : 2
Total VPN Peers                : 750
Shared License                 : Disabled
AnyConnect for Mobile          : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials          : Disabled
Advanced Endpoint Assessment   : Disabled
UC Phone Proxy Sessions        : 2
Total UC Proxy Sessions        : 2
Botnet Traffic Filter          : Disabled
This platform has an ASA 5520 VPN Plus license.

Hi there,
Did you try
https://tools.cisco.com/SWIFT/LicensingUI/loadDemoLicensee?FormId=717
Cheers!
Rob
"Why not help one another on the way" - Bob Marley

Android tablets supported for Cisco Jabber for Android 10.5 ?

Exist a list with tablets support for this realease ?
In release notes only include smartphones.
Anoher question, is about version android client, in google play exits a old version, but not 10.5, any reason for this ?
Thanks in advance.

The tab listed for support is " Google Nexus 10 (Android OS 4.4.x) ". Please refer to the following link for more information;
http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/jabber/10_5/CJAB_BK_D6497E98_00_deployment-installation-guide-ciscojabber/CJAB_BK_D6497E98_00_deployment-installation-guide-ciscojabber_chapter_011.html#CJAB_RF_D3CF90B1_00
Quoting the following link; https://play.google.com/store/apps/details?id=com.cisco.im&hl=en ;we have got the J4A 10.5 listed on the playstore.
- please rate if this helps.

What to support for Cisco IP Phone 7912?

dear all. please help me!!!
I have a 7912 ip phone, and using Cisco CME in 1760, but I do not see this type 7912 ip phone telephony service there. whether it was true ip 7912 phone is not support for the Cisco 1760 CME. and whether support for the cisco 7912 ip phone? whether the telephony-service configuration is equal to the telephony-service configuration for the ip phone 7940?
please help me !!!

Hi to all
Please I ned some advice , I was try to reset to factory defaults a Cisco IP Phone 7912 and I was failed .
Please can you help me ?
Thanks a lot !
Hugo Baez

Cisco Prime LMS 4.1 - Support for Cisco Catalyst 3560-C Series Switches

Hello together
I have a customer which uses the following switch. Last year I have installed LMS 4.1 for him to manage the switches. Unfortunatly the switch model is not supported. According to the information found on the following site the switch is supported for most of the modules in LMS:
http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_lan_management_solution/4.1/device_support/table/lms41sdt.html
The oid object of the device is the following: 1.3.6.1.4.1.9.1.1465
Supported Software: 12.2(55)EX (Customer has 12.2(55)EX3
Version Support Type: Device Update
So I updated all device updates I was able to find.
Step 1: For that I went to Admin > System > Software Center > Schedule Device Downloads and created a job where I have downloaded the latest versions of all packages.
Step 2: Installed the downloaded packages Admin > System > Software Center > Device Update and installed all the packages.
Unfortunatly I don't see the same result like described in the Supported Device Table for LMS 4.1.
- Cisco View -> works
- Inventory and Config Collection -> works
- Fault Monitor not working -> Error Code Unsupported
- Network Topology Layer 2 Services -> Device Type ciscoProducts.1465, Symbol Question Mark
- VLAN Management -> Doesn't work
- User Tracking > seems also not to work
When I open the report for supported devcies (Reports > System > Device Support) and search for C3560C... I find the following devices, but not mine which i need:
C3560C-8PC-S     .1.3.6.1.4.1.9.1.1466
C3560CG8PC         .1.3.6.1.4.1.9.1.1317
C3560CCG8TC     .1.3.6.1.4.1.9.1.1318
wsC3560CPD8ptS     .1.3.6.1.4.1.9.1.1368
Does anybody have experience with the same switch type / model? Am I doing something wrong or is this type of switch not implemented correctly till now? Further the docuemntation supported devices would be wrong.
Thanks for any feedback Erich

Thanks but I just heard back from my Cisco SE and he assures me that an AP will NOT use up a license.
I've asked him to verify his answer for me.
Is your answer based on real world expereince (the best there is)? That is, are you running Prime LMS 4.1 and does it indeed use up a license for each light-weight AP it discovers & manages?
Thanks for mentioning options 1-3 but I do not wish to employ any of them. I don't mind buying the additional licenses for APs ... I just need to know if I have to or not.
Ian.

Are attributes needed for cisco vpn 3005

Hey all,
I am trying to setup radius authentication for my cisco 3005. I am using
BM 3.8sp3 radius. I have it setup (or at least i can us NTradping and
authenticate to it).
I goto 3005 and add radius server as authentication server. When I try to
test it, I get the follow message on the concentrator:
Authentication Rejected: Access hours restrictions in effect
Looking at the debug screen of the radius server, all has succeeded. Is
there a profile that I need to setup and any attributes to assign to get
this to work?
Thanks
Matt

I found the answer to my last question, you do need xauth for radius
> I think I found it. To test authentication I think it uses the base
group.
> I did have a time restriction on their.
>
> Now for another question: I am testing certificate based authentication
> and it is working (Using a Novell CA). To get radius authentication to
> work in conjunction with that. Do I need to use an SA that uses
> Certificates and XAuth?
>
> Thanks
> Matt
>
> > [email protected] schreef:
> > > I don't have any time restrictions in place. But just in case I set
> som=
> > e=20
> > > up and applied those and I still get the same message.
> > >=20
> > > I applied the access time to both a group and the individual user.
> My=20
> > > question I have is where would those be applied seeing that the
user
> is=
> > =20
> > > being authenticated via an external reference.
> > >=20
> > > Thanks
> > > Matt
> > >=20
> >
> > Matt,
> >
> > Try to test with a user not a group, make sure you don't have any
time=20
> > restrictions on the NDS user and also no Policy Management on your=20
> > concentrator.
> >
> > > I applied the access time to both a group and the individual user.
> > In the vpn concentrator?
> >
> > > My question I have is where would those be applied seeing that
the=20
> > user is
> > > being authenticated via an external reference.
> >
> > Radius authentication uses the NDS (well you can configure this
also=20
> > otherwise as a radius proxy..).
> > When configure the nds user with logon restrictions, I'm pretty
sure=20
> > that you wont be able to acces your network through the concentrator.
> >
> > If you want to restrict the acces to your vpn concentrator than you
have
> =
> >
> > to use the policy base mangement of your vpn concentrator.
> >
> > You can set acces hours to the groups created on the vpn
concentrator,=20
> > and throug radius you can sent attributes that will be used to
indentify
> =
> >
> > which group the user will be put in when the user authenticating to
> the=20
> > vpn concentrator.
> >
> > Hope this makes sense....
> >
> > gl,
> >
> > Louis G=F6hl
>

Are the SG500P SMB switchs supported for Cisco Network Assistant?

Hi, we need to enroll some SG500-28P switches to a CNA? Is this possible? I suppose that CDP feature allow this. Actually, i have installed CNA Ver. 6.0. Thanks in advance.

Hello Fernando,
Thank you for visiting the Cisco Support Community!
Here is a list of all the devices supported by the Cisco Network Assistant for the 6.0 version and later. Many of the 500 series switches, including the SG500-28P Managed Switch, are supported by the CNA. This page will also give you any additional information you may need such as the features of the CNA 6.0 version, any system requirements, and more.
If this post was helpful, please remember to mark this question as resolved to help others in the community! If you have any further questions, please do not hesitate to ask!
Best,
LP

CLI support for Cisco SG100D-05 5-Port Gigabit Desktop Switch

I would like to know if the SG100D series of switches support the CLI? If not what are the series of switches supported by the CLI.
I am looking for an application where I need to tell which device is connected to which port on a switch. Hence I am looking at this option where I can run a script and use CLI to output the MAC id of devices connected on each port.
Thanks!

Hi Yiu Kay Lee,
Thank you for sending me this document. It was very helpful. But I cannot understand one thing about it. Is it possible to extract the results from the CLI by passing a command via a script e.g. Python and get the results of it into Python?
For e.g.
************Python script ******************
>>print("send command to 200 series Cisco switch")
>> results = show mac-addr-table
>> print results
Please let me know if such interfacing with the CLI is possible or not?
Thanks

Cisco SF302-08P (SRW208P-K9-NA) Support for Cisco IP 7942 Phones

Hi All,
I am looking at quoting the SF302-08P for a client which will have three small offices interconnected via single mode fiber. I am planning on connecting them to a 3560 switch. Each office will have no more than 3 - 7942 phones. I reviewed the notes on this switch and it seems it should support this phone type without any issues. Could you advise if you have run into any support/reliability issues with this switch and the 7942s?
Thank You,

Hi RevereORL,
My concern is there are;
slight nuances or differences between the CLI configuration on the SG300 compared to the Catalyst range.
I am also very very slightly concerned about post sales support interaction between TAC and SBSC, but these days there is much more cross talking between these two support groups.
Different SFP SKU's for fiber connectivity GLC- series for catalyst and MGB series on 300, even though I have no issue with plugging the GLC SKU's into my 300 series product.
The SF302-8P has a POE budget defined as 62W across all 8 ports or 62watts / 8 ports= 7.75 approx watts that can be drawn from each port.
With the software upgrade to 1.1.1.8 the 300 series now also supports pre-standard POE as well as the 802.3af, power should not be a issue..
I guess the beauty of buying from a distributor, and keeping the packaging, is that your can validate your application.
Give it a try,.
regards Dave

Cisco prime 2.1 / 2.2 support for Cisco ise 1.3 ?

Hi, I just tried to connect cisco PI 2.1 to cisco ISE 1.3, but fails.
I read the release Notes, only ISE 1.2 ist supported.
But I was wondering that the ssl handshake fails (I have done a packet capture).
So PI 2.1 has not tried to connect to ise 1.3 via api, because of the connection fails at the ssl handshake stage.
Anyway, does anybody know if ISE 1.3 will be supported with PI 2.2 or a version of PI 2.1.x ?

Why doesn't the REST API communication in Prime 2.1 (2.1.0.0.87) support TLS? The platform itself seem to be able to handle TLS-DHE-RSA with AES-128-CBC-SHA. Why is it trying to use SSLv2 ?
These protocol is incompatible and very much outdated: http://en.wikipedia.org/wiki/Transport_Layer_Security#SSL_1.0.2C_2.0_and_3.0
Can this behavour be reconfigured in CLI or at least be allowed in ISE 1.3 to make a workaround until a working patch or upgrade is done? Could or should adding the Cisco Prime server as managed node in ISE circumvent the incompability?

Error Compilation MIBs Supported for Cisco UCS C-series software release 1.4(3) and later releases on IBM Director 6.3.2

Hi,
I have an IBM director 6.3.2 on a Windows Server 2008R2
I try to install the MIB for manage Cisco UCS C-460 server.
I downloaded the mib on the cisco ftp.
the files extension was my. I cahgne it to .mib. For the moment I success to import some ones.
But when I try to install Cisco-Unified-Computing-TC-MIB, I have got the error in the join file.
Ho can I fix this issue...

Hi,
I have an IBM director 6.3.2 on a Windows Server 2008R2
I try to install the MIB for manage Cisco UCS C-460 server.
I downloaded the mib on the cisco ftp.
the files extension was my. I cahgne it to .mib. For the moment I success to import some ones.
But when I try to install Cisco-Unified-Computing-TC-MIB, I have got the error in the join file.
Ho can I fix this issue...

Nokia Lumia support for Cisco WLC

Dear All,
I am using Cisco Wireless LAN Controller 4404 in my network, All devices (Laptops, samsung mobile phones, Iphone, HTC, etc) are connecting and working perfectly but NOKIA Lumia mobile phone is unable to connect.
Is there any hotfix for WLC available? please advise
Regards,
Junaid

Please find below debug details, I started debugging the device by command debug client (client mac) and then tried to connect the device.
*dot1xMsgTask: Sep 25 12:14:03.096: ec:f3:5b:d3:99:20 dot1x - moving mobile ec:f3:5b:d3:99:20 into Connecting state
*dot1xMsgTask: Sep 25 12:14:03.097: ec:f3:5b:d3:99:20 Sending EAP-Request/Identity to mobile ec:f3:5b:d3:99:20 (EAP Id 1)
*Dot1x_NW_MsgTask_0: Sep 25 12:14:03.148: ec:f3:5b:d3:99:20 Received EAPOL START from mobile ec:f3:5b:d3:99:20
*Dot1x_NW_MsgTask_0: Sep 25 12:14:03.148: ec:f3:5b:d3:99:20 dot1x - moving mobile ec:f3:5b:d3:99:20 into Connecting state
*Dot1x_NW_MsgTask_0: Sep 25 12:16:05.035: apfGetRsnIE: Processing WPA/RSN IE type 48, length 56 processed only 38 bytes
*Dot1x_NW_MsgTask_0: Sep 25 12:16:05.076: apfGetRsnIE: Processing WPA/RSN IE type 48, length 56 processed only 38 bytes
*Dot1x_NW_MsgTask_0: Sep 25 12:16:05.076: apfGetRsnIE: Processing WPA/RSN IE type 48, length 56 processed only 38 bytes
*Dot1x_NW_MsgTask_0: Sep 25 12:16:05.076: apfGetRsnIE: Processing WPA/RSN IE type 48, length 56 processed only 38 bytes
*Dot1x_NW_MsgTask_0: Sep 25 12:16:05.112: apfGetRsnIE: Processing WPA/RSN IE type 48, length 56 processed only 38 bytes
And on cell phone it shows the following message:
connection unsuccessful,
the credentials provided by the server couldn't be validated,
I tried to connect it without any encryption and it got connected successfully, issue only on wpa2-Enterprise.
Please advise,,,
Regards,
Junaid

Mac Lion can't connect to Cisco VPN with RSA authentication

Hello,
We have a problem with a manager who has upgrades his Mac to the latest Lion OS (64 bit), before uograding he could connect without any problem with his mac to our network and work on the terminal server. Since the upgrade he's not able to get it working in 64 bit (normal) mode.
This our setup
Cisco PIX 515
RSA Cisco Pix security Apliance.
Does anybody have any advice to get this setup working.
regards

Hi Raymond,
We have encounter the same issue with one of our sales director, the upgrade to MAC OS-X Lion breaks the VPN IPsec connexion. We have tryed various type of tunning with no sucess.
Finally, as wordaround, we have installed the AnyConnect client and it works fine now.
Vincent

Support for Cisco VPN "mutual group authentication"

Similar Messages

Maybe you are looking for