Based CERT auth with AnyConnect

Hello

We recently bought a certificate for our ASA to use on the external interface when connecting to get installed AnyConnect or simply use webvpn. I added an identity cert and cert CA as well, and then he made the default cert for the external interface. This worked very well.

Now, we want to use the authentication certificate for our AnyConnect (as well as the RAY that is already working). We have an internal cert server of Microsoft, that we want to use for this purpose. Question is... How can we use the cert public bought on the external interface for webvpn and AnyConnect installation and at the same time to use the 'internal' cert for authentication of the VPN client? Is it still possible?

I have already created an internal cert and installed on the asa with the cert CA of our internal server. We took the version 8.2 (2).

I hope that someone, with a little more knowledge about it than me, can help

Thanks in advance,

Rasmus

Rasmus,

Debugging for the failure of the attempt to please, however you normally try to do.

Can you try with and without ssl-auth... certificate?

Marcin

Tags: Cisco Security

Similar Questions

  • Problem of proxy with AnyConnect SBL

    Hello

    Recently, I added the following line to our profile of .xml AnyConnect:

    IgnoreProxy

    We use a server proxy internally in our network, so when client computers have been set up for this, they could not connect to our ASA with AnyConnect when they were out of the site. The above setting in their corrected profile that, even if the proxy is enabled in their IE, they could connect with AnyConnect roaming. So far so good.

    Yesterday, I added the following to our configuration:

    TEST group policy attributes

    use a MSIE-proxy-server method

    Internet Explorer-proxy server value ip.ip.ip.ip:port

    activate Internet Explorer-proxy local-bypass

    This configuration was to ensure that the proxy of the user is enabled when connected to the VPN. According to doc Cisco proxy on the client settings automatically return to its original settings when disconnecting. This also works as expected.

    But then, here is the funny thing (which is not funny at all really):

    When to start the client computer and start-up of the AnyConnect client before logon Windows (SBL), I get the prompt attached when trying to connect! This only happens with SBL – not when the user connects and then starts the VPN client. I tried with different proxy user auth I know work, but I can't get through and therefor unable to connect before Windows logon. According to the doc of Cisco, the proxy settings should apply logon AFTER VPN - but it seems he's trying to use them BEFORE trying to connect when you use NFP.

    No one knows why this happens? And anyone can come up with a solution (except disable proxy settings just made)?

    Thanks in advance - much appreciated!

    / Rasmus

    Rasmus,

    Bad news... I checked the "fixed in" field in bugs.

    002.005 (1002) and 002.005 (2000)

    which means - it will be corrected in the new version.

    Symptom:
    
The "IgnoreProxy" setting in the AnyConnect XML profile is not functioning when Start Before Login (SBL) is also enabled.
    

    Conditions:
    
Problem first observed on AnyConnect 2.4.1012 when "IgnoreProxy" is set in the xml profile. Using Start Before Login feature (SBL). Using GPOs to set the proxy before login. Most noticable when the Proxy that is set is internal/private because the AnyConnect will not be able to reach the headend device to make the anyconnect connection due to the proxy being set. Confirmed the profile is active. The "IgnoreProxy" setting in the profile is working for a non-SBL connection.
    

    Workaround:
    
1. This does work without SBL. For instance If you cancel SBL, logon to windows in the usual way and then start the Anyconnect client. If you then disconnect and reconnect the AnyConnect it does indeed ignore the configured proxy.
    
2. Disable GPO settings that push the proxy before login.
    
Note: If you are using GPO to launch scripts, be aware AnyConnect also now has a OnConnect scripting feature to launch scripts as well

  • Type of cert for ikeV2 anyconnect

    Hello world

    I created the CSR for anyconnect IkeV2.

    When I ask the seller to cert that I should ask them what type of certificate that I needed for IkeV2?

    We do not want users to use ssl as https://xyz.com and to connect and download the client.

    We want machine pre installed with anyconnect and profile users and connect using IkeV2.

    Concerning

    Mahesh

    Each certificate provider has their own list of choices. Many understand Cisco among their choices. that is to say:

    http://www.InstantSSL.com/SSL-certificate-support/csr_generation/SSL-CER...

    In General, a standard server certificate just because we don't do a lot of fancy with it - just check identity. CN in the CSR must match the FQDN in this case...

  • Trouble with AnyConnect

    Hello community! I have a few spots with AnyConnect wich I do, but have no idea how. Help, please. The tasks are:

    1. disable IPv6. We do not have running services IPv6 and IPv6 clients, create additional routine for us.

    2 prevent AnyConnect IPs of it is registering in DNS, because AnyConnect IP is not routable intranet.

    BONES of the customer - XP to 8, DNS server OS is Windows server 2008 R2 Datacenter. I am trying to disable IPv6 as http://www.techunboxed.com/2012/08/how-to-disable-ipv6-in-windows-8.htmlhere, but it seems that it has not worked for AnyConnect.

    Hello

    Do you use the ASA to assign IP addresses to users Anyconnect? If so they should not register for the DNS.

    Also, you can disable IPV6 address as described here:http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyc...

    HTH

    Averroès.

  • RDP fails to connect with anyconnect

    Hi all
    I have a problem with the configuration of an ASA 5505
    When my users connect with anyconnect they can only connect to the server, but when they want to connect to their own pc, it does not connect.
    When they are connected, they can ping their own pc even with the DNS name.
    When I let connect them trough the clientportal. They make RDP on their own pc.
    NAT is set to the ip address of the server as well as the pc owners.
    The server is a victory of 2008 SBS and clients are Win XP
    Anyone have an idea?

    Please indicate the following:

    Can you ping 192.168.1.14? and can try you to telnet to port 3389 to 192.168.1.14 invites back?

    In addition, if the connection that allows 192.168.1.14 different IP subnet RDP to the server? Is there a PC firewall that would block access? You can try to disable the Windows Firewall on 192.168.1.14.

  • IOS router VPN Client (easy VPN) IPsec with Anyconnect

    Hello

    I would like to set up my router IOS IPsec VPN Client and connect with any connect.
    Is it possible to configure an IPSec and SSL VPN Client on IOS router? I use for example a 1841.

    It would be perfect to give the user the choice of SSL or IPSec protocol. And the user needs that the Anyconnect Client.

    I think it's possible with a Cisco ASA. But I can also do this with an IOS router?

    Please let me know how if this is possible.

    Also is it true that the IOS routers are not affected to hear bug bleed? SSL VPN and SSL VPN with Anyconnect page is also save?

    http://Tools.Cisco.com/Security/Center/content/CiscoSecurityAdvisory/CIS...

    But I am in any way interested in using IPSec and SSL VPN on a router IOS...

    It's true - CCP does not yet offer the options to configure a VPN IPsec with IKEv2.

    The configuration guide (here) offers detailed advice and includes examples of configuration.

  • Posture EHT IE Web redirect Win7/8 with Anyconnect already installed?

    Having a problem where I have Windows 7 and Windows 8.1 clients connecting to the wireless network, they already have Anyconnect 4.3.x installed with posture ISE seeking AV installed.  When the AuthZ for EAP chaining rule see posture status equal to a stranger when a user logs into it immediately turn on IE and tries to do a web-based ISE posture check.  But if you wait a little, Anyconnect runs and performs a check of posture ISE itself and ends.  And then of course a certificate of authenticity occurs and the status changes to access compliance/permits.  But this IE window for ISE posture is still sitting there.

    Its crazy my simulated production group.  Its as web redirection does not know that Anyconnect is already on the box.

    I talked to TAC, they suggested, it is a problem with IE and there is no config ISE to correct this problem.  Does anyone know the key "reg" to disable this behavior?

    Also, my concern is that once this behavior is disabled in Windows 7 and Windows 8.1, users then when connecting to networks managed by ISE comments won't redirect web authentication.  However my Windows 10 users don't see never the ISE web posture auth redirect, but they do not... as expected... a redirect comments network web auth.

    Outside by his summer suggested that the "reg" windows 7/8.1 key 'HotspotAuthentication' is the problem.  Set this to zero does not solve the problem.  Active Software\Policies\Microsoft\Windows\HotspotAuthentication = 0

    source of confusion.

    Any help is greatly appreciated.
    EI

    As a side note I would be thrilled to be in the image of all the files in the machine and not necessary to use the provisioning client to trigger the posture of the ISE, feature request.

    If remember correctly,

    If your network changes, windows did a test NCSI (network connectivity status indicator),

    with DNS and one http request. This forced test your browser to bring up a window.

    I think you have three choices:

    -If the machines are managed by you

    1, you cah turn off this feature. In this case, you lost the internet detection windows feature

    2, you can change the address shown by default http://www.msftncsi.com (multiple ip) to a simple outside IP, and after that you have an entry to the ACL redirect to allow traffic to this IP without redirection

    If the machines are out of your control

    3, you can build a complex ACL redirect, witch will allow traffic to the ip address that is resolved by www.msftncsi.com. I have a large collection of a (attached) gethostbyname crontabbed, he entered 246, but you can reduce it to the largest subnet 4-5. I think that it is not a big risk to allow this traffic when the redirection is active.

    http://blog.superuser.com/2011/05/16/Windows-7-network-awareness/

  • How to generate CSR on switches for web auth with NGS

    Hello

    I do solution dot1x with web auth on switches cisco 3750.

    Once the wired customer put in the web authentication status (after dot1x and mab) and goes to a website, he receives a certificate warning. This is because as the switch cisco selfsigned certificate.

    I want to use a verisign certificate to resolve this error, but I can't find a way to generate a CSR on a switch. I only found a guide how to request a certificate from a CA on the local network, but it is also not a solution, because the customers with the help of web authentication, won't the internal certification authority.

    Is it possible to fix this?

    Greetings

    Steven

    Hi Steven,

    The document below is really for IOS SSLVPN, but the part of the certificate must be the same:

    http://www.Cisco.com/en/us/prod/collateral/iosswrel/ps6537/ps6586/ps6657/white_paper_c07-372106_ps6657_Products_White_Paper.html

    Search for the 'Annex B' and it goes into the creation of a trustpoint and then a section for the self-signed and another is to generate a certificate request to send to an external certification authority.

    Once created a trustpoint command to actually generate the CSR is "crypto PKI enroll."

    This document goes into a bit more details on orders of the person and what they do:

    http://www.Cisco.com/en/us/docs/iOS/sec_secure_connectivity/configuration/guide/sec_cert_enroll_pki.html

    Also, you can use something external to the switch as OpenSSL to generate the CSR and private key and then use it to request a certificate from your Verisign CA and then import the cert/key pair in the IOS device.

    Thank you

    Nate

  • Adding for Cert for WebVPN Anyconnect

    I have never done this before so bear with me.  I'll put up without client Anyconnect on ASA 5520.  I have a Verisign certificate, but when I go to the management of certificates--> CA Certificates--> add, I have every made and click on "install Certificate" I get an error.  What I am doing wrong?  Any help would be appreciated

    FYI, I have the authority of the primary Cert installed already

    Here are the steps for your reference:

    http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00808b3cff.shtml

    Hope that helps.

  • IPHONE 4.0 with Anyconnect ssl vpn client

    Hello

    It does anyone know how to configure an Iphone 4.0 with client anyconnect with certificate-based authentication?

    I just found that is supported, but I have not found any documentation about it.

    Hello

    The client anyconnect for iPhone has not yet been published, and so now you can configure.

    Kind regards

    Assia

  • Problem of DNS with AnyConnect on SAA

    / * Style definitions * / table. MsoNormalTable {mso-style-name : « Table Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 cm 5.4pt cm 0 5.4pt ; mso-para-marge-haut : 0 cm ; mso-para-marge-droit : 0 cm ; mso-para-marge-bas : 10.0pt ; mso-para-marge-gauche : 0 cm ; ligne-hauteur : 115 % ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-fareast-font-family : « Times New Roman » ; mso-fareast-theme-font : minor-fareast ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ; mso-bidi-font-family : « Times New Roman » ; mso-bidi-theme-font : minor-bidi ;}

    Hello

    I have a problem with the local domain name resolution when connected via a VPN SSL using anyconnect.

    I've identified it is due to the fact that the assigned DHCP DNS is not by adding a domain suffix.

    I proved this by adding the local domain after the host name, I'm ping.

    On the the ASA5505 ASDM I ensured that the appropriate field is identified on the DNS, but this still does not work.

    Please could someone guide me in the right direction. It should be on the profile that is downloaded or a configuration that automatically adds the correct suffix when DNS queries are sent to the DNS server.

    Hi again,

    I just figured my DNS suffix name resolution problem and I thought I'd share my solution in case it helps you:

    • Connect to ASDM, select VPN remote access, expand access to the network (Client), highlight the group policies.
    • On the right, edit the group policy that you connect your remote users.
    • Screen that comes up, highlight the server on the left and then click on the small arrow to the right to display other editing options in group policy.
    • Fill in the default domain with your internal domain name (for example, mydomainname.local)
    • Click Ok to save and save config to Flash running.

    Test of reconnection to with a client AnyConnect and performing a ipconfig/all.

    For me, I can now see the suffix dns that I defined in the group policy and successfully, I can ping internal hosts by name.

    Good luck!

  • Cisco ASA 8.4 Active Failover / standby with anyconnect local CA

    Hi Friend´s

    I hope you do well! I ve got a question, hope you can help me. I ve got an ASA 5550 with version 8.4 (6), it s focusing anyconnect VPN remote access who authenticate through certificate locally generated in ASA. We´ve got an another 5550 with the same hardware and same version, and we focus on the configuration of the failover. I ve heard of network other than it s engineers may not failover configuration when the ASA doing this local. Then I ve read full failover for version 8.4 operating guide (6) and I didn t find any restrictions on the local failover and CA working together. I m tests over the next weekend, but I would like to know from your experience, if I'm having problems on VPN connections or failover configuration.

    Please, do not hesitate to ask as much as necessary information. All comment and documentation will be appreciated.

    Best regards!

    It's the n: documentatio

     Does not support Active/Active or Active/Standby failover

    And on top of that, ASDM shows that "Local CA cannot be configured when failover is activated".

  • ASA5505 with 10 users. Need to connect 25 remote users with AnyConnect Client

    Hello to everyone.

    I ASA5505 with license 10 users. I need to connect 25 remote users via SSL VPN (in my case cisco Anyconnect client). So I have to buy the license more security (ASA5505-SEC-PL =) for more then 10 simultaneous VPN connections on Cisco ASA 5505. Fix?

    And the main question. What I need to order the user getting up-to-date (for example ASA5505-SW-10-50 =, or ASA5505-SW-10-UL =) license for my device Cisco ASA5505 in order to have 25 connections of concurrent remote users without restriction for each remote user?

    You need the license SecPlus for increased remote access users. But you don't need an extra user license if you still only up to 10 internal systems.

  • Restricting access via AAA auth group AnyConnect IKEV2

    Hello world

    I have config ASA with 2 groups of connection

    Say Group 1 and 2.

    Both are currently assigned to the same Auth AAA group

    One of our external suppliers has access to these two files group of connections 1 and 2 XM...

    If I want the seller must only connect to connect to the Group 2 should I change the Group AAA auth for Group 2 of the connection?

    Then, even if he tries to connection group 1 should not function as a group AAA Auth will only affect Group 2 right?

    Concerning

    Mahesh

    Mahesh

    If you have a single authentication server (or a pair of servers in operation HA), then it would seem that the seller would be authenticated any group, they are trying to access.

    I have a client who was using the function of blocking the group to accomplish something similar to what you describe. They used the RSA authentication two factors as you do so. They had the air was to send the authentication request to a Radius server. The Radius server would send the ID and code is entered at the RSA to do the authentication to the Radius Server and two factors would also querry Active Directory to learn more about membership in a user group. The Radius server then would return the results of the RSA and ED to the ASA group that would use the group lock feature to ensure that the user entered the right group. Maybe something like that might work for you?

    HTH

    Rick

  • Access to local resources with Anyconnect

    I have an ASA 5505 9.2 running. I Anyconnect work because it establishes a connection, and users can navigate on the Internet with the split tunneling. However, they cannot access the internal servers or ping same them.

    I suspect NAT but I am no expert and I did some google-ing, but most of the directions are written for a different version of the IOS.

    I have attached the running configuration. Accessible servers are on the network 192.168.1.x. The VPN pool is in the 192.168.2.x network.

    Thank you.

    Yes - when you ping the network internal your ASA inside (on the network) address is the source address.

    When your VPN clients are trying to achieve here resources, their source address is 192.168.2.x. unless the internal network hosts a default gateway to your ASA or their internal/other router has a static route (or road Dynamics if you use a routing on the SAA protocol that you are not in this case) to get to 192.168.2.0/27 through the ASA return of traffic will not make it back to the ASA. It will instead go to their default gateway and not to put in place (or complete) a connection (TCP) or debit (UDP or ICMP).

Maybe you are looking for