VPN: Configuration loses SSL certificate
Hi there,
*The challenge.*
I'd like to conncet to our VPN netzwork with my MacBook Pro.
In my network configuration I choose my SSL certificate.
*The problem*
Each time i try to connect, i get stucked at the "identification" (Normaly i should get this "trust certificate dialog".
Having again a look into my network configuration the SSL certificate isnt select anymore.
*Please help!*
+// The SSL certificate passes severals tests on my windows-machine.+
Please help.
Not enough information, such as what VPN software you are using. For VPN issues, it almost always ends up that resolving the issue involves consulting with whomever manages the VPN.
Similar Messages
-
Our APEX Application need to connect the LDAP server for authentication. Our LDAP team provides the SSL certificate, We need to configure the SSL certificate in Database server. We require the steps for installing SSL certificate in Oracle Wallet manager using Orapki Command.
FYI: For calling LDAP server we are using DBMS_LDAP package.
Database version : 10G APEX version : 4.1
Thansk in Advance
Cheers,
Shanmugam,Hi Shanmugam,
Please refer the following:
orapki Utility
In addtion also refer:
ORACLE-BASE - Create Self-Signed SSL Certificates
Thanks &
Best Regards, -
IP phone SSL VPN configuration issue
Hello,
I am trying to configure the SSL VPN for the IP phone.
I am using the CM8.0.2 and 7975.
- I configured ASA and tested with my PC. PC can ping the CM.
- I uploaded the ASA cert as a Phone-VPN-trust
- I uploaded the CA root cert. Tried both, Phone-VPN-trust and Phone-trust. Which one is correct?
- I created a VPN gateway and typed URL and selected the cert
- I created the VPN group and added the VPN gateway to it.
- I created the VPN profile and added the VPN group to it.
- I disabled the Host ID check
- I configured the Common Phone Profile with VPN group and VPN profile and added it to a 7975 phone.
When I go into the phone settings, the VPN option is disabled and the Enable soft button is greyed out.
What is missing? What am I doing wrong?Hi,
If you're not using certificates in client authentication then the SSL handshake will complete before the user is requested to authenticate with username/password. If this authentication request fails you will see the SSL session terminated immediately following this failure (as in the logs you provided). Notice the 5 seconds between the SSL session establishment and termination, this is most likely when the user is being authenticated against the aaa server. If the phone is failing authentication against an external aaa-server you'll want to investigate the logs on that server to determine the root cause of the failure. The ASA can also provide confirmation of the authentication request/reject with the command 'show aaa-server'. If you want to see what's going on at an authentication protocol level you can enable several debugs including "debug aaa authentication|common|internal' and protocol specific debugs such as 'debug radius user|session|all' or 'debug ldap'.
Did this answer your question? If so, please mark it Answered! -
Configuration of SSL VPN in IOS-XE (Version 03.13.01.S)
Hi,
I am looking for some advice in regard to the configuration of SSL VPN in IOS-XE (Version 03.13.01.S).
I have been following the Cisco Guide (http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_sslvpn/configuration/xe-3s/sec-conn-sslvpn-xe-3s-book.html#topic_D5CE388EB64446E0897B4741801C84A5) but I am not really having any luck.
I am testing my config in my lab using a CSR1000V before putting it into the production box.
When I try to fire up a https connection from a Windows client to the listening IP address in the router all what I get is a blank page (after clicking OK in the certficate error). In the virtual router though, I can see that the CRYPTO-SSL-WEBSERVICE is running, but I am not getting prompted with the page for me to enter the username and password.
I am using a self signed certificate and AAA is using local authentication to authenticate my users.
The version of the Anyconnect I am using is 3.1 for Windows, but I have not been to the point where the router pushes the Anyconnect software to the client.
The Windows host is running the latest version of Java (Version 8 Update 31).
I have to be honest and admit that this is not my area of expertise. Therefore, I am afraid I have some very silly questions such as what sort of webpage I should be getting when starting a https section to the router. Is it a default one?
I have not been able to find any real examples on the web and that's why I decided to reach out to you guys for help. Could you please have a look at my config and shed some light about why this is not working?
I created the annyconect.xml profile file using the Anyconnect Profile Editor.
CSR_1000V_VPN#sh debugging
IOSXE Conditional Debug Configs:
Conditional Debug Global State: Stop
IOSXE Packet Tracing Configs:
Crypto SSL Subsystem:
Crypto SSL (verbose) debugging is on
Crypto SSL Web Service debugging is on
Crypto SSL AAA debugging is on
Crypto SSL Tunnel debugging is on
Crypto SSL Tunnel Events debugging is on
Crypto SSL Tunnel Errors debugging is on
Crypto SSL Tunnel Packets debugging is on
Crypto SSL Client Package debugging is on
This is what happens when I browse to the listening IP address (1.1.1.1) from the client:
CSR_1000V_VPN#
*Feb 12 05:38:22.959: CRYPTO-SSL: sslvpn process rcvd context queue event
*Feb 12 05:38:22.959: CRYPTO-SSL: sslvpn process rcvd context queue event
*Feb 12 05:38:23.004: CRYPTO-SSL: sslvpn process rcvd context queue event
*Feb 12 05:38:23.004: CRYPTO-SSL: sslvpn process rcvd context queue event
*Feb 12 05:38:23.183: CRYPTO-SSL: sslvpn process rcvd context queue event
*Feb 12 05:38:23.183: CRYPTO-SSL: sslvpn process rcvd context queue event
*Feb 12 05:38:23.217: CRYPTO-SSL: sslvpn process rcvd context queue event
*Feb 12 05:38:23.217: CRYPTO-SSL: Fragmented App data - buffered
*Feb 12 05:38:23.217: CRYPTO-SSL-WEBSERVICE: Date: Thu, 12 Feb 2015 05:38:23 GMT, Expires: Thu, 12 Feb 2015 04:38:23 GMT
*Feb 12 05:38:23.217: CRYPTO-SSL: Unsupported GET Request. Sent Status 501
*Feb 12 05:38:23.217: CRYPTO-SSL: Chunk data written..
buffer=0x7FE12868F258 total_len=138 bytes=138 tcb=0x7FE180F64058
*Feb 12 05:38:23.217: CRYPTO-SSL: sslvpn process rcvd context queue event
*Feb 12 05:38:23.278: CRYPTO-SSL: sslvpn process rcvd context queue event
*Feb 12 05:38:23.278: CRYPTO-SSL: Fragmented App data - buffered
*Feb 12 05:38:23.278: CRYPTO-SSL-WEBSERVICE: Date: Thu, 12 Feb 2015 05:38:23 GMT, Expires: Thu, 12 Feb 2015 04:38:23 GMT
CSR_1000V_VPN#
*Feb 12 05:38:23.278: CRYPTO-SSL: Unsupported GET Request. Sent Status 501
*Feb 12 05:38:23.278: CRYPTO-SSL: Chunk data written..
buffer=0x7FE12868F258 total_len=138 bytes=138 tcb=0x7FE180F64058
*Feb 12 05:38:23.279: CRYPTO-SSL: sslvpn process rcvd context queue event
Thanks in advance,
AlejandroHi Alejandro,
Weblaunch for SSL VPN is not supported on CSR 1000v. Here's the enhancement request: https://tools.cisco.com/bugsearch/bug/CSCus02767/?reffering_site=dumpcr
Please save this bug so that you get notified if any changes are made to the bug's status.
Regards,
Anu -
Configuring SSL certificates on ALBPM Studio
Hi,
I am invoking a web service which is deployed on a web logic server which is a secure server and needs SSL certificates to communicate. I have the certificates but don’t know how to configure it to my ALBPM Studio.
Can I configure those to studio or do I need to deploy my code on the Enterprise edition installed on application server having these SSL certificates? But in that case I would land up investing so much time in deploying the code on server after even a small change. Since I don’t have those certificates configured to my studio it is not allowing me to catalog the service in my project and throwing Introspection error. The details of the error are mentioned below:
+[Error] Web Service WSDL parse exception: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target..+
+[Error] Instrospection exception: Web Service WSDL parse exception: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target...+
Can anyone throw any pointers on this type of error
Thanks,
AkshayIn order to communicate with SSL secured webservices (those with WSDL end point starting as https:// you need to have certificates from these servers.
For BPM Standalone these are the steps
1. Download the .cer file from server. (One way is you can use IE browser to get that file and export it from browser to a local directory)
2. Put this file in %JAVA_HOME%\jre\lib\security. You can put it anywhere you want.
3. Run the following command at a command prompt:
C:\Program Files\Java\jre1.6.0_02\bin>keytool -import -trustcacerts -alias <CERT ALIAS NAME> -keystore ..\lib\security\cacerts -file ..\lib\security\gd_<cert file name>.cer
4. You will be prompted for a password. If you have not changed the password, it will be "changeit".
5. You will then get the following message if all is successful - "Certificate was added to keystore".
6. Restart Tomcat (inbuilt server in BPM Studio).
This should solve your problem.
Pls note that if you have not configured your keyStore then first do so. you will find this document handy to do so.
http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html#Edit%20the%20Tomcat%20Configuration%20File
Arvind
Visit my blog at http://soa-bam-bi.blogspot.com/ for more tips on BPM & SOA -
Creating SSL certificate and configuring it with JBOSS 4.0.1
I have to post some data to a secured site from my application.
For this, I am creating connection to that site using URLConnection and to send data I create OutputStream using the connection.
But, while creating the stream it is showing SSLException and message is No trusted certificate found.
For this, I need to create SSL certificate (mostly using keytool command) and configure it with my application server which is JBOSS 4.0.1
Now, my problem is that I don't know the exact steps to create a certificate and configure it with JBOSS. Please provide the steps in detail.I think you have this back to front. Unless this exception came from the server, in which case it is misconfigured, you don't have to create a certificate, you have to import the server's certificate, or that of one of its signers, into the client's truststore, and tell Java where the truststore is if it's in a non-standard location.
See http://java.sun.com/j2se/1.5.0/docs/guide/security/jsse/JSSERefGuide.html. You'll have to ask about the JBoss part in a JBoss forum. -
Problem to configure Blink Pro (App). Error SSL certificate verification error (PJSIP_TLS_ECERTVERIF) (503)
Hi, William
My question is if you can help me and support me to configure the Blink Pro App, I have a Mac Book Air, OS X 10.9.1.
hope for your answer -
Unable to configure SSL certificate on Apex
I am trying to configure ssl certificate in one apex application.
http://docs.tpu.ru/docs/oracle/en/oas/10.1.2.0.0/web.1012/b14007/ssl.htm#i1031859
as per the above document first step is create a wallet with SSL certificate information.
While creating wallet i am trying to import the CA certificate and User Certificate.
But i am not able to import the certificates properly. I am getting error messages.
Error Message :
User certificate installation failed
Possible Errors;
-- Input was not a valid certificate.
-- No matching certificate was found
-- CA certificate is needed for certificate chain not found please install it first.
What could be the reason for this. and solution for this problem ?Yes I am using OWM ( Oracle Wallet Manager)
First I have created a new wallet and then i did create service request.
Then Import user certificate and import CA certitificates are enabled.
Then tried to import the certificates above mentioned errors are coming.....
Yes first i imported the CA certificate then i imported the user certificate using the wallet manager. I used the copy - paste certificate method while importing.
Any how if do import user certificate first it will show an error saying install ca certificate first.
Message was edited by:
Santhosh Kumar T -
Can't find SSL certificate in SQL server configuration manager?
Hi
It's been 2 days and I need a help. I have visited a number of sites and I still can't make it work
Two severs I have: Windows 2012 Standard with SQL 2008 R2 and SQL 2012
I am trying to set it up on SQL 2008 R2 right now.
I have a certificate from a CA and did the followings.
1. Open MMC
2. Add Certificates Snap-in as a computer account (In fact, I tried all the three accounts)
3. Right click-on Personal folder and All taks and Import
4. Installed the certificate with Certificate import Wizard
5. The certificate shows up under Personal/Certificates and Trusted Root Certification Authorities/Certificates
I did this with a local administrator account as well as MSSQL account(SQL Server service account I created). Even though the server is part of domain, SQL server is set up with local accounts.
This is a simply summary. I tried everything in the article such as 'Create Custom Request'.
I am not sure what I am missing. Why can't I see the certificate in SQL Server configuration manager?
I even made MSSQL (service account) as administrator. Not working.
as I am not using the domain service account, I believe below is not relevant.
Missing detail on "Install a certificate in the Windows certificate store..."
When following recommended security procedures and running SQL server under a domain service account, the service will fail to start after assigning a certificate to the protocols. This is because the service account does not have permissions to read
the private key. Fix this in the Certificates MMC snap-in (preferably right after installing the certificate.) Select the certificate you just imported, then in the Action menu select "Manage private keys." Grant the domain service
account read access to the private key of the server certificate.
Below is the few of reference I looked at..
https://support.microsoft.com/en-us/kb/316898/
https://msdn.microsoft.com/en-us/library/ms191192(d=printer).aspx
https://technet.microsoft.com/en-us/library/ms189067(v=sql.105).aspx
http://www.mssqltips.com/sqlservertip/3299/how-to-configure-ssl-encryption-in-sql-
http://blogs.msdn.com/b/sqlserverfaq/archive/2010/05/28/inf-permissions-required-for-sql-server-service-account-to-use-ssl-certificate.aspxHi Dinesh
Thanks for the reply.
I did looked into the both sites as well. but it did not work.
Below is the step to install SQLs server certificate. and I was stuck with Step 9. when click 'next' in the wizard, I am not getting into a place to select 'computer' as certificate type.
Do you know what is wrong please?
Open the Microsoft Management Console (MMC): click Start, then click Run and in the Run dialog box type: MMC
On the File menu, click Add/Remove Snap-in...
Select Certificates, click Add.
You are prompted to open the snap-in for your user account, the service account, or the computer account. Select the Computer Account.
Select Local computer, and then click Finish.
Click OK in the Add/Remove Snap-in dialog box.
Click to select the Personal folder in the left-hand pane.
Right-click in the right-hand pane, point to All Tasks, and then click Request New Certificate...
Click Next in the Certificate Request Wizard dialog box. Select certificate type 'Computer'.
You can enter a friendly name in text box if you want or leave it blank, then complete the wizard.
Now you should see the certificate in the folder with the fully qualified computer domain name -
VPN Concentractor SSL Certificate Expired - Urgent Help
We have VPN concentractor 3030. Whe I log on via web its says that SSL certificate has expires and I cannot login to generate new certificate.
I even tried login via consol but it won't allow the connection.
What can I do.The CONSOLE has nothing to do with the certificate. No matter what you should see the console prompt. If you cannot, make sure you are using a STRAIGHT THROUGH DB9 cable.
NOTE: This cable is different from the one used by PIX 520 and IDS boxes.
Regards
Farrukh -
Configure OWA to require a client ssl certificate only for external connection
Hello.
At now i migrated OWA client from Exchange 2003 to Exchange 2010 and faced with a problem.
I want to then external client (somebody like user from home PC) connect to Outlook Web App, client certificate will be required.
But then client connect (somebody from work PC) to internal Outlook Web App Url, Integrate Windows Auth will be used and client ssl certificate not required.
Is it possible? Or i need to enable Outlook Anywhere?Hi,
Base on my konwledge, I don't think it is possible.
When you install Exchange 2003, only one Default Web Site in Internet Information Services (IIS). if you change the authentication method and enable SSL on OWA, client ssl certificate always be required whether it's external or internal.
I recommend you refer to the following articles:
http://www.msexchange.org/articles-tutorials/exchange-server-2003/mobility-client-access/Securing-Exchange-Server-2003-Outlook-Web-Access-Chapter5.html
http://www.msexchange.org/articles-tutorials/exchange-server-2003/security-message-hygiene/SSL_Enabling_OWA_2003.html
Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft.
Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.
Thanks.
Niko Cheng
TechNet Community Support -
Cisco ASA 5505 and comodo SSL certificate
Hey All,
I am having an issue with setting up the SSL certificate piece of the Cisco AnyConnect VPN. I purchased the certificate and installed it via the ASDM under Configuration > Remote Access VPN > Certificate Management > Identity Certificates. I also placed the CA 2 piece under the CA Certificates. I have http redirect to https and under my browser it is green.
Once the AnyConnect client installs and automatically connects i get no errors or anything. The minute I disconnect and try to reconnect again, I get the "Untrusted VPN Server Certificate!" which isn't true because the connection information is https://vpn.mydomain.com and the SSL Cert is setup as vpn.mydomain.com.
On that note it lists the IP address instead of the vpn.mydomain.com as the untrusted piece of this. Now obviously I don't have the IP address as part of the SSL cert, just the web address. On the web side I have an A record setup to go from vpn.mydomain.com to the IP address of the Cisco ASA.
What am I missing here? I can post config if anyone needs it.
(My Version of ASA Software is 9.0 (2) and ASDM Version 7.1 (2))It's AnyConnect version 3.0. I don't know about the EKU piece. I didn't know that was required. I will attach my config.
ASA Version 9.0(2)
hostname MyDomain-firewall-1
domain-name MyDomain.com
enable password omitted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd omitted
names
name 10.0.0.13.1 MyDomain-Inside description MyDomain Inside
name 10.200.0.0 MyDomain_New_IP description MyDomain_New
name 10.100.0.0 MyDomain-Old description Inside_Old
name XXX.XXX.XX.XX Provider description Provider_Wireless
name 10.0.13.2 Cisco_ASA_5505 description Cisco ASA 5505
name 192.168.204.0 Outside_Wireless description Outside Wireless for Guests
ip local pool MyDomain-Employee-Pool 192.168.208.1-192.168.208.254 mask 255.255.255.0
ip local pool MyDomain-Vendor-Pool 192.168.209.1-192.168.209.254 mask 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address Cisco_ASA_5505 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address Provider 255.255.255.252
boot system disk0:/asa902-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.0.3.21
domain-name MyDomain.com
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network MyDomain-Employee
subnet 192.168.208.0 255.255.255.0
description MyDomain-Employee
object-group network Inside-all
description All Networks
network-object MyDomain-Old 255.255.254.0
network-object MyDomain_New_IP 255.255.192.0
network-object host MyDomain-Inside
access-list inside_access_in extended permit ip any4 any4
access-list split-tunnel standard permit host 10.0.13.1
pager lines 24
logging enable
logging buffered errors
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-712.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static Inside-all Inside-all destination static RVP-Employee RVP-Employee no-proxy-arp route-lookup
object network obj_any
nat (inside,outside) dynamic interface
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 XXX.XXX.XX.XX 1
route inside MyDomain-Old 255.255.254.0 MyDomain-Inside 1
route inside MyDomain_New_IP 255.255.192.0 MyDomain-Inside 1
route inside Outside_Wireless 255.255.255.0 MyDomain-Inside 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
action terminate
dynamic-access-policy-record "Network Access Policy Allow VPN"
description "Must have the Network Access Policy Enabled to get VPN access"
aaa-server LDAP_Group protocol ldap
aaa-server LDAP_Group (inside) host 10.0.3.21
ldap-base-dn ou=MyDomain,dc=MyDomainnet,dc=local
ldap-group-base-dn ou=MyDomain,dc=MyDomainnet,dc=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn cn=Cisco VPN,ou=Special User Accounts,ou=MyDomain,dc=MyDomainNET,dc=local
server-type microsoft
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http MyDomain_New_IP 255.255.192.0 inside
http redirect outside 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint LOCAL-CA-SERVER
keypair LOCAL-CA-SERVER
no validation-usage
no accept-subordinates
no id-cert-issuer
crl configure
crypto ca trustpoint VPN
enrollment terminal
fqdn vpn.mydomain.com
subject-name CN=vpn.mydomain.com,OU=IT
keypair vpn.mydomain.com
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment terminal
crl configure
crypto ca trustpool policy
crypto ca server
shutdown
crypto ca certificate chain LOCAL-CA-SERVER
certificate ca 01
omitted
quit
crypto ca certificate chain VPN
certificate
omitted
quit
crypto ca certificate chain ASDM_TrustPoint1
certificate ca
omitted
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint VPN
telnet timeout 5
ssh MyDomain_New_IP 255.255.192.0 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
dynamic-filter updater-client enable
dynamic-filter use-database
dynamic-filter enable
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1 rc4-md5 des-sha1
ssl trust-point VPN outside
webvpn
enable outside
anyconnect-essentials
anyconnect image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 3
anyconnect image disk0:/anyconnect-linux-2.4.1012-k9.pkg 4
anyconnect image disk0:/anyconnect-win-3.1.01065-k9.pkg 5
anyconnect profiles MyDomain-employee disk0:/MyDomain-employee.xml
anyconnect enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
dns-server value 10.0.3.21
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client
default-domain value MyDomain.com
group-policy MyDomain-Employee internal
group-policy MyDomain-Employee attributes
wins-server none
dns-server value 10.0.3.21
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel
default-domain value MyDomain.com
webvpn
anyconnect profiles value MyDomain-employee type user
username MyDomainadmin password omitted encrypted privilege 15
tunnel-group MyDomain-Employee type remote-access
tunnel-group MyDomain-Employee general-attributes
address-pool MyDomain-Employee-Pool
authentication-server-group LDAP_Group LOCAL
default-group-policy MyDomain-Employee
tunnel-group MyDomain-Employee webvpn-attributes
group-alias MyDomain-Employee enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:1c7e3d7ff324e4fd7567aa21a96a8b22
: end
asdm image disk0:/asdm-712.bin
asdm location MyDomain_New_IP 255.255.192.0 inside
asdm location MyDomain-Inside 255.255.255.255 inside
asdm location MyDomain-Old 255.255.254.0 inside
no asdm history enable -
Configuring access with Certificate or AAA on ASA5520
Hi there!
I'm trying to configure a Cisco ASA 5520 to authenticate SSL VPN users via either certificate or local AAA, ie, normally the user will connect with a certificate but from time to time, users may forget their card at work and I would like to offer them an alternative way of logging via user and password.
When I try to configure this:
I access to Remote Access VPN > Clientless SSL VPN Access > Connection Profiles > Basic
The device gives 3 authentication methods: AAA, certificate and both
The question is: Is there anyway of configuring certificate as the main authentication method and AAA as a backup method?
Thank you in advanceThis will be possible in the future, currently the following bug will be affecting you
CSCef16611
WebVPN configured for both AAA and Certificate Auth only does certs
Symptom:
If WebVPN authentication is configured for both AAA and certificates in the tunnel-group, only certificate authentication takes place.
Conditions:
WebVPN authentication is configured for both AAA and certificates.
Workaround:
None availble. Currently WebVPN auhenticaiton is by AAA or Certificates, and not both simultaneously.
It will always take CERT if both are configured. -
SSL/Certificate creation/distribution questions
I'm extremely new to SSL and using certificates and have been having some trouble figuring out exactly how to create and implement them.
Environment background:
Currently, my entire network is closed off from the outside world. It's a mac-only network, basically sandboxed from a PC-only network via a router (to provide access to the internet, that's provided from the PC network). No port forwarding is set up and I don't have any external IP addresses pointing to my router, so currently there's no way for an outside source to see my network. With not really any need for secure traffic, SSL and certificates aren't really needed (basically, it's a video dept at a university with ~150 users). However, once I get external access (the main IT dept's been "working" on this with our ISP for, um, about a year <coughcough>), I'm wanting to do some stuff with VPN as well as wikis and chat (chat could theoretically be useful internally now). Even though we don't really have much worth hacking, once I get a window to the outside world, I'd like to button up my server/network as much as possible.
Since all my services will be set up and provided by me, I'm comfortable using certificates I create instead of purchasing any--if I knew how to do this, which brings me to my questions. I've tried creating a certificate within Server Admin, but it says it's not trusted (and clients don't seem to see it, anyway). I've also tried the instructions here: www.eclectica.ca/howto/ssl-cert-howto.php, but got an error when actually running the openssl command (OpenSSL is installed and appears to be functional). How do I get a trusted certificate(s) and then, how do I distribute them to the clients so they see and use them? Exactly what path are these created to, or should be placed, etc?
I'd initially like to use SSL for increasing the security of my logins (all network users), but like mentioned, I'd also like to secure other services (is a cert needed/useable for VPN?). In that regard, do I only need one certificate, or would I need certificates for each separate service?
Sorry for the long post, but thanks for any help.Hi There,
If you create a "self signed" certificate you will get warning messages in your browser but can configure your browser to accept these warnings. This is ok if it is just a local access machine and you are the only one accessing it.
If outside people are going to be accessing it, you will want to use a 3rd party SSL certificate from a trusted authority such as Verisign, GeoTrust etc.
Here is a good article on how to create the CSR on 10.6
http://support.apple.com/kb/HT3976
Hope this Helps,
Eric Holtzman
Hosting 4 Less -
VPN Design using CA (certificate authority)
In the process or redisgning current VPN deployment. Currently we have 300+ ASAs and 100 remote users on Windows Domain (Both are growing). Would like to use Certificates instead of Preshared Keys. Have some questions about the CA.
1) What are the pros and cons between using Enterprise or Standalone CA?
1a) What is more secure and more reliable?
1b) If we already have a domain, does using enterprise help? Benefits or problems?
2) Is it better to use 3rd party CA or manage one ourselves?
3) Any configuration tips or suggestions?Did you check metalink Note:178806.1 ?
How to get SSL Certificates from a Microsoft Certification Services CA
You have to change some registry keys in the Mircosoft CA so it will work with Oracle.
Steve
Maybe you are looking for
-
Hi I have an iPod Nano second generation I have just purchased cloud and the songs and albums that I purchased from Apple have loaded from my ipod. A littlke while ago I had a hard disc failer so had to replace it. I have permissioned my lap top for
-
New late November 2013 MBP retina goes blank
My new MBP 15 retina - late 2013 goes blank screen for no reason. Comes back on when lifting the unit up or just tilting the laptop - then the screen comes back on. I have to re-enter the password and it works fine.This does not happen a lot. Had the
-
Can't create aggregate device in SL
Just installed SL and i'm having problems with Audio MIDI Setup, i need to create a new aggregate device to use my mixer etc but when i click the + symbol, the new device will flash in the list and immediately disappear. Is this a bug or am i doing s
-
Mac OS X corrupt due to gravel and magnetic forces?
I took my MBP in to the Genius Bar because it shuts down by itself and gives me the kernel panic screen right after I turn it on. The person at the Genius Bar told me that the OS is corrupt and I would have to do an archive install. He couldn't do it
-
When Role is assigned to User through membership rule then it's membership is not added to OID ?
Hi All, I have OIM 11gR2 installed with LDAPSync enabled. When tried to assign Role to User through membership rule, Role is successfully assigned to User in OIM, but it is not added in OID. Role membership is added in OID when User requests R