AnyConnect and Aladdin eToken authentication
Hi all!
First part
I managed the Anyconnect VPN installation in our c2821 using MS Active Directory & Cisco Secure ACS v.4.2 authentication Radius Server for windows clients.
I have successfully install authentication in Windows using Aladdin eToken and logon Samrtcard (connector Microsoft's CA) certificate.
I have successfully the Microsoft certification authority certificate store of eToken.
I would like someone to answer the following questions: How can I use this certificate to authenticate the session on AnyConnect VPN?
Second part
I tried to customize local AnyConnect profile using Cisco AnyConnect Profile Editor. The only result: changed default username and default host. All other customizations have been ignored.
Here is my profile:
one
omitted
omitted
omitted
false
true
false
All
true
Native
false
false
false
true
DisconnectOnSuspend
false
HardwareToken
SingleLocalLogon
LocalUsersOnly
false
Automatic
false
Anyone have any ideas?
Hello
You can control the parameters of AnyConnect session only if the activated/enabled 'controllable user' administrator for each XML attribute. For those that are controllable from the user, the user must be able to click on the 'Settings' button very close the list box drop-down server.
However, if you manually change the XML file on the local computer of the client, the next time AnyConnect connect, it will download the original version of the ASA and compares with local XML file. If the checksum does not match, it overrides the local XML file with the newly downloaded XML file.
You can change the preferences.xml file, and that you have discovered, AnyConnect will honor your changes. But the profile has most of the security settings as a Local Lan access, start before logon, Auto reconnection.
Thank you
Kiran
Tags: Cisco Security
Similar Questions
-
Cisco Anyconnect and Aladdin eToken
Hello
I want to authenticate Clients on an ASA5510 (8.4. () (2)) with a certificate on an Aladdin eToken.
If I connect with the browser (IE), everything works fine, the eToken software requires the certificate and the password and downloads the client profile. AnyConnect-connection is established.
If I connect directly with the AnyConnect Client (ver. 3.0.4235) no certificate will be used and so it has an Errormessage "no valid certificate available for authentication.
Client is Win7, but the same problem on Windows XP with full admin rights
It seems that the Anyconnect Client cannot find the certificate store.
Any idea?
Thank you.
It is not just with Aladdin eToken, same problem with certificate of local (.pfx) Standard Microsoft software installed in the certificate store
You have configured the profile XML doc section to reference the certificate?
-
AnyConnect and SSL - VPN without client
Are there problems in running Cisco AnyConnect and SSL - VPN without client side by side?
I am currently looking into adding features for an ASA AnyConnect who currently set up to operate without SSL - VPN client. The system without client is not removed. I don't know how to set it up, I wonder if someone has already set up this or if there is no problem with this Setup?
Hi Daniel
It's a little complicated if you want a granular authentication and authorization, but it works.
I'm running an ASA with IPSec, SSL Client and clientless SSL.
Each of these virtual private networks with user/one-time-password name and certificate based authentic.
The main challenge is to put in place its own structure of profile cards, connection profiles, group policies and dynamic access policies.
Feel free to ask questions...
Stephan
-
people
I have a question regarding anyconnect and using 2 profiles on a single customer
I use anyconnect ssl vpn to connect to several sites, each using certificates and name of user and password for authentication
My problem is that when I 2 certificates in the store of my staff two different asas, I can't authenticate on one of the firewalls
each certificate is named differently, i.e. mycert-site1 and site2 mycert
anyone came across this before?
Thanks to anyone who takes the time to answer
Hello
You have this option in a newer version of anyconnect:
HTH,
Marcin
-
exception of Aladdin etoken windows 7
I have an applet that I use for the signature. I also use aladdin etoken smartcard or usb. It works perfectly on windows 2000, xp, but in windows 7, I get the following exception:
The code where I load the dll of etoken is the following:
StackTracePKCS11Provider = new sun.security.pkcs11.SunPKCS11(new ByteArrayInputStream(generatePKCS11ConfigFile().getBytes())); String eIDProviderName = PKCS11Provider.getName(); Security.addProvider(PKCS11Provider); // load eID card (keystore) //you don't need yet to provide a password (You might use only the public key from it) //If you try to use the private key, a window asking for the pin will popup char[] pin = "".toCharArray(); KeyStore.ProtectionParameter pp = new KeyStore.PasswordProtection(pin); CallbackHandler cmdLineHdlr = new com.sun.security.auth.callback.DialogCallbackHandler(); KeyStore.Builder builder = KeyStore.Builder.newInstance( "PKCS11", PKCS11Provider, new KeyStore.CallbackHandlerProtection(cmdLineHdlr)); keyStore = builder.getKeyStore(); *///in this line the exception is thrown* keyStore.load(null, pin); protected String generatePKCS11ConfigFile(){ System.out.println("in generatePKCS11ConfigFile"); String os = System.getProperty("os.name"); System.out.println("os: "+os); if(os.contains("Windows")) { if(os.contains("Windows 9")) configDir = System.getenv("WinDir"); else configDir = System.getenv("SystemRoot"); } String content = "name=eToken"+"\n"+"library="+configDir+"\\system32\\eTPKCS11.dll"; System.out.println("content: "+content); return content; }
config dir: C:\Windows
content: name = eToken
Library=C:\Windows\system32\eTPKCS11.dll
get the instance of generator: java.security.KeyStore$Builder$2@5dfaf1
java.security.KeyStoreException: KeyStore instantiation failed
in java.security.KeyStore$ Builder$ 2.getKeyStore (unknown Source)
at EtenderingSigner.loadKeyStoreFromSmartCard (EtenderingSigner.java:168)
to EtenderingSigner$ LoadeIDButtonListener.actionPerformed (EtenderingSigner.java:872)
at javax.swing.AbstractButton.fireActionPerformed (unknown Source)
in javax.swing.AbstractButton$ Handler.actionPerformed (unknown Source)
at javax.swing.DefaultButtonModel.fireActionPerformed (unknown Source)
at javax.swing.DefaultButtonModel.setPressed (unknown Source)
at javax.swing.plaf.basic.BasicButtonListener.mouseReleased (unknown Source)
at java.awt.AWTEventMulticaster.mouseReleased (unknown Source)
at java.awt.Component.processMouseEvent (unknown Source)
at javax.swing.JComponent.processMouseEvent (unknown Source)
at java.awt.Component.processEvent (unknown Source)
at java.awt.Container.processEvent (unknown Source)
at java.awt.Component.dispatchEventImpl (unknown Source)
at java.awt.Container.dispatchEventImpl (unknown Source)
at java.awt.Component.dispatchEvent (unknown Source)
at java.awt.LightweightDispatcher.retargetMouseEvent (unknown Source)
at java.awt.LightweightDispatcher.processMouseEvent (unknown Source)
at java.awt.LightweightDispatcher.dispatchEvent (unknown Source)
at java.awt.Container.dispatchEventImpl (unknown Source)
at java.awt.Component.dispatchEvent (unknown Source)
at java.awt.EventQueue.dispatchEventImpl (unknown Source)
to java.awt.EventQueue.access$ 000 (unknown Source)
in java.awt.EventQueue$ 1.run (unknown Source)
in java.awt.EventQueue$ 1.run (unknown Source)
at java.security.AccessController.doPrivileged (Native Method)
in java.security.AccessControlContext$ 1.doIntersectionPrivilege (unknown Source)
in java.security.AccessControlContext$ 1.doIntersectionPrivilege (unknown Source)
in java.awt.EventQueue$ 2.run (unknown Source)
in java.awt.EventQueue$ 2.run (unknown Source)
at java.security.AccessController.doPrivileged (Native Method)
in java.security.AccessControlContext$ 1.doIntersectionPrivilege (unknown Source)
at java.awt.EventQueue.dispatchEvent (unknown Source)
at java.awt.EventDispatchThread.pumpOneEventForFilters (unknown Source)
at java.awt.EventDispatchThread.pumpEventsForFilter (unknown Source)
at java.awt.EventDispatchThread.pumpEventsForHierarchy (unknown Source)
at java.awt.EventDispatchThread.pumpEvents (unknown Source)
at java.awt.EventDispatchThread.pumpEvents (unknown Source)
at java.awt.EventDispatchThread.run (unknown Source)
Caused by: java.security.KeyStoreException: not found PKCS11
at java.security.KeyStore.getInstance (unknown Source)
in java.security.KeyStore$ Builder$ $2 1.run (unknown Source)
at java.security.AccessController.doPrivileged (Native Method)
... 39 more
Caused by: java.security.NoSuchAlgorithmException: no such algorithm: PKCS11 for eToken SunPKCS11 provider
at sun.security.jca.GetInstance.getService (unknown Source)
at sun.security.jca.GetInstance.getInstance (unknown Source)
at java.security.Security.getImpl (unknown Source)
... more than 42
java.lang.NullPointerException
at EtenderingSigner.getPrivateKeyAndCertChain (EtenderingSigner.java:199)
at EtenderingSigner.showEIDCertificateDetails (EtenderingSigner.java:423)
to EtenderingSigner$ LoadeIDButtonListener.actionPerformed (EtenderingSigner.java:873)
at javax.swing.AbstractButton.fireActionPerformed (unknown Source)
in javax.swing.AbstractButton$ Handler.actionPerformed (unknown Source)
at javax.swing.DefaultButtonModel.fireActionPerformed (unknown Source)
at javax.swing.DefaultButtonModel.setPressed (unknown Source)
at javax.swing.plaf.basic.BasicButtonListener.mouseReleased (unknown Source)
at java.awt.AWTEventMulticaster.mouseReleased (unknown Source)
at java.awt.Component.processMouseEvent (unknown Source)
at javax.swing.JComponent.processMouseEvent (unknown Source)
at java.awt.Component.processEvent (unknown Source)
at java.awt.Container.processEvent (unknown Source)
at java.awt.Component.dispatchEventImpl (unknown Source)
at java.awt.Container.dispatchEventImpl (unknown Source)
at java.awt.Component.dispatchEvent (unknown Source)
at java.awt.LightweightDispatcher.retargetMouseEvent (unknown Source)
at java.awt.LightweightDispatcher.processMouseEvent (unknown Source)
at java.awt.LightweightDispatcher.dispatchEvent (unknown Source)
at java.awt.Container.dispatchEventImpl (unknown Source)
at java.awt.Component.dispatchEvent (unknown Source)
at java.awt.EventQueue.dispatchEventImpl (unknown Source)
to java.awt.EventQueue.access$ 000 (unknown Source)
in java.awt.EventQueue$ 1.run (unknown Source)
in java.awt.EventQueue$ 1.run (unknown Source)
at java.security.AccessController.doPrivileged (Native Method)
in java.security.AccessControlContext$ 1.doIntersectionPrivilege (unknown Source)
in java.security.AccessControlContext$ 1.doIntersectionPrivilege (unknown Source)
in java.awt.EventQueue$ 2.run (unknown Source)
in java.awt.EventQueue$ 2.run (unknown Source)
at java.security.AccessController.doPrivileged (Native Method)
in java.security.AccessControlContext$ 1.doIntersectionPrivilege (unknown Source)
at java.awt.EventQueue.dispatchEvent (unknown Source)
at java.awt.EventDispatchThread.pumpOneEventForFilters (unknown Source)
at java.awt.EventDispatchThread.pumpEventsForFilter (unknown Source)
at java.awt.EventDispatchThread.pumpEventsForHierarchy (unknown Source)
at java.awt.EventDispatchThread.pumpEvents (unknown Source)
at java.awt.EventDispatchThread.pumpEvents (unknown Source)
at java.awt.EventDispatchThread.run (unknown Source)
Edited by: sabre150 may 18, 2011 03:59
Code tags added to facilitate the readability of the source code.Hello
Haven't tried with your recommendation, as for me would be impossible to change the settings for the virtual machine to display applets for each end user. [It should work from silk and browser:]
BUT I found a solution more in the following thread, post No. http://www.thatsjava.com/java-tech/70373/ 6
And it helped me to solve everything.Everything is hidden in the pkcs11.cfg file
name = Name_on_the_grave
library = C:\Windows\System32\eTPKCS11.dll
location = 2The last line "slot = 2' did the trick of my pain. And it rolls applet called in the browser
So that means, she can work and it works (EW)
-
HP20002D19WM came with no software (cyberlink) key and certificates of authenticity for windows
I just bought the HP20002D19WM, which came with no software (cyberlink) key and certificates of authenticity for windows. I can't use any program cyberlink with a key number to enter. Also if I would give for somereason I wonder in my number of windows I would not be able to since I have ever trevieved it
This is the original factory specifications for your laptop HP 2000-2d19WM. All Cyberlink OEM software should work without key, because it is not mandatory for the installed OEM mass products. Regarding the Windows product key, see Activation of Windows 8 product;
- OEM Activation 3.0 (OA3) at the factory. A digital product key (DPK) is encrypted and installed on the motherboard BIOS during the manufacturing process. Windows 8 will be ignited automatically the first time that the computer is connected to the Internet. With systems activated by OA3, most of the computer's hardware can be replaced without the need to reactivate the software from Microsoft.
-
age of empires 3 product lost key.is there a way I can get the key.i have the box and cert of authenticity and all code cd
Hi barryholt,
You can see the following article for more information on the same.
How to get a new product key for Microsoft Games for Windows, Streets & Trips, or MapPoint
-
Clients vpn AnyConnect and cisco using the same certificate
Can use the same certificate on the ASA client Anyconnect and cisco vpn ikev1-2?
John.
The certificate is to identify a user/machine rather than the Protocol, then Yes, generally 'yes' you can use the same certificate for SSL/IKEv1/IKEv2 connections.
What you need to take care of, it's that said certificate is fulliling Elements of the Protocol, for example implmentations IKEv2 is 'necessary' particular KU are defined and client-server-auth/auth EKU are defined on the certificates.
M.
-
Hi all
I need you support on my attached configuration.
My question is why use AnyConnect I can't do the authentication.
Consider that:
1 work properly with the LOCAL user cisco AnyConnect
2 test authentication GOADC host 192.168.99.1 aaa-server... username password...
return:
NEWS: Test of <192.168.99.1>IP address authentication attempt (expiration time: 22 seconds)
INFO: Authentication successful
Let me know what is missing.
Thank you in advance
Better compliance
Hey Parker,
Depending on your configuration, you use the DefaultWebVPNGroup.
So, to do this, follow these steps:
tunnel-group DefaultWebVPNGroup General-attributes
authentication-server-group GOADC
!
Let me know how it goes.
Thank you.
Portu.
Please note all useful posts
-
Access Internet AnyConnect and ASA 8.3
I have configured with ASA 8.3 AnyConnect and I am able to access everything on the internal LAN very well. However, I can't connect to the Internet while I am connected to AnyConnect. I tried different DNS servers in the AnyConnect profile, different parameters of Tunnel from Split. I can't understand the issue of the Internet. And the strange thing is that I can not solve them that addresses all the Internet, either through the AnyConnect connection. When I try ping www.msn.com it just says that it cannot find the host www.msn.com. Can someone please help with this question?
Thank you
Corey
As well as the order, looking at the config that I feel need to add this as well after removing split tunnel configuration.
network of the AnyConnect-INET object
192.168.253.0 subnet 255.255.255.0
interface NAT (outside, outside) dynamic source AnyConnect-INET
Thank you
Ajay
-
during installation it asks proxy username and password for authentication. What should I fill in here?
Hello
Please see Support of Proxy in creative cloud products
Kind regards
Sheena
-
[Cisco AnyConnect] Certificate on RADIUS authentication
Hello
I use authentication and LDAP authorization certificates and it works fine.
Now, I want to centralize authentication and authorization on the server RADIUS (Cisco ACS in my case)
In the connection profile, we have 3 authentication methods:
- AAA: I can choose RADIUS server group or LDAP--> the user is prompted to enter the username/password credentials
- Certificate: I can't choose AAA server...--> user group will have to provide the certificate
- Both: I choose the RADIUS or LDAP--> the user is prompted for username/password credentials and the user must provide the certificate
If I choose the certificate authentication methods, I can't delegate the authentication and authorization of RADIUS server.
Is there a solution to delegate the authentication of the certificate to the RADIUS?
I have different authorization for each VPN connection profile rules
ASA can send a VPN connection profile to the RADIUS? (in the RADIUS attribute...)
Thanks for your help,
Patrick
Patrick,
The essential in deployments using WLC is begging on client can talk to EAP (including EAP - TLS) so the AAA server can authenticate the certificate.
In the case of Anyconnect, or old IPsec client there is no way to send the full cert to server AAA (not implemented/redundant from the point of view of the customer, or not in the standard).
IOS also gives you a possibility to make calls for authorization of PKI:
AFAIR is no similar mechanism on the SAA.
M.
-
IPsec VPN with Cisco AnyConnect and 1921 ISR G2 router
Hello
Is it possible to establish a remote access VPN IPSec using Cisco Anyconnect client with router Cisco ISR G2 1921.
If someone does share it please the sample configuration. as I've been on this topic since last week a.
My Cisco rep recommended I have not try AnyConnect a router ISR or ASR. So I used an Open Source client. Don't say that AnyConnect won't work, just the route I took on my project. I work good known configuration for a 1921 with strongSwan as a Client. It is with IPSEC and IKEV2 using certificates for authentication.
-
IKEv2 AnyConnect and pool allocation via RADIUS
I set up a CSR1000V (03.09.00a. S.153 - 2.) for AnyConnect with IKEv2. I store the user name and the IKEv2 permission policy on the RADIUS server. The customers are placed in their own iVRFs through the broadcast on the NAS RADIUS attributes.
for example, in FreeRadius (2.1.12), what follows is defined (home is the 'group') as [email protected] / * / format.
Home-password in clear text: = "cisco".
Cisco-AVPair += "ip:interface - config = vrf forwarding CUST-A."
Cisco-AVPair += "ip:interface - config = ip unnumbered loopback100."
Box-pool = "CUST-A-POOL '.
[email protected] / * / Password in clear text: = 'test123 '.
The user and group permission information are then merged and cloned on the virtual model:
Crypto ikev2 name-mangler EXCERPT-GROUP
EAP suffix delimiter @.
!
Ikev2 crypto FlexVPN-IKEv2-profile-1 profile
fvrf IPSEC-FVRF game
match the key - remote identity FlexAnyConnect id
identity local dn
authentication eap remote query-identity
authentication local rsa - sig
PKI trustpoint cacert.org
DPD 60 2 on request
AAA authentication eap List1-AuthC-FlexVPN
AAA authorization eap group list mangler-name-FlexVPN-AuthZ-list-1 EXCERPT-GROUP
AAA authorization eap user set caching
virtual-model 1
!
type of interface virtual-Template1 tunnel
no ip address
ipv4 ipsec tunnel mode
VRF tunnel IPSEC-FVRF
Profile of tunnel FlexVPN-IPsec-profile-1 ipsec protection
However, it appears that the attribute RADIUS specifying that the pool is ignored; I can see the attribute RADIUS (IETF 88) broadcast on the NAS in the RADIUS debugs:
* 21:36:39.384 August 16 TSB: RADIUS: box-IP-pool [88] 13 'CUST-A-POOL'
However, cryptography debugs say an IP cannot be attributed:
* 21:36:39.435 August 16 TSB: IKEv2: cannot allocate an IP addr
Contents of payload:
AUTH NOTIFY (INTERNAL_ADDRESS_FAILURE)
If the framed pool is removed and a box-IP-Address instead of the user, the address set is assigned. The CUST-A-POOL is set locally on the NAS server. Is that all that I'm missing? Any debugs more detailed can be generated?
See you soon,.
Matt
Matt,
http://Tools.Cisco.com/support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId= CSCty98153
Send:
ipsec:addr-pool or ipsec:ipv6-addr-pool
M.
-
AnyConnect and MSChap-V2 on Microsoft Raidus with ASA5510
Hello...
We have a Cisco ASA5510 configured to work with the Microsoft Radius server. Authentication and authorization VPN works well with L2TP over IPSec, and users authenticate with MSChapV2 as we want that they.
Now, we are trying to install Anyconnnect to do the same. Tell us how AnyConnect use MSCHAP version-2 against PAP? using ADSM? I think I know how to make the Microsoft Part of it, but I do not know where go to ADSM configure it.
Any advice is welcome...
Dale
Hello Dale,
You must use the following command under the tunnel-group to force the use of MSChapv2.
password-management
On ASDM:
Maybe you are looking for
-
Satellite L650 - 170 (PSK1JE) Setup failure
Today I bought a toshiba Satellite L650 - 170 (PSK1JE), I turned on and Yippee, I had to attend a configuration of 2 hours. After 2 hours, it was restarted for l'eme time of 10 + and this time, instead of with success one of 42 things that you had to
-
The installation of Vista SP2 broke my computer
I've lived in innumerable discussions on this site and many others to solve this problem the Vista SP2 has caused my computer to have. I have a Toshiba with Vista x 64 Home Premium computer and after several attempts failed to download SP2 months ago
-
I uninstalled google chrome and I wanted to reinstall, but I can't get Internet Explore a web page to do this.
-
I have a new PC and my HP Deskjet F4580 was installed automatically when it has been identified on my network. How can I get the HP Printer Control Center application is installed so that I can scan without do a reinstall of the printer as it is alre
-
I accidentally shot etype application, how can I remove it?
e type has been downloaded on my computer accidentally, but everything I do I can not remove it. What I do is very disruptive and not helpful all.