Cisco ASA 55xx. Backup/restore an external certificate signed with ASDM
I have a Cisco ASA 5510, which is used for our VPN. It has an externally signed certs from Digicert. I replace the 5510 with a Cisco 5545 and wondered with ASDM can I save the cert of the 5510 and give the 5545. Or should I get an another reissued certs from Digicert and install from scratch. Is there something to look out for that set games with public/private keys, etc. Please let me know.
You guessed it right, Edwin
As long as you want just to maintain the certificate configuration, it is what you need to.
Make sure that you install the root and root under new ASA certificate as well as one can extract this PKCS12 certificate.
Kind regards
Dinesh Moudgil
PS Please rate helpful messages.
Tags: Cisco Security
Similar Questions
-
Cisco ASA 55XX Transparent mode through a VLAN
Hello team Cisco Forum!
In a scenario where the Cisco ASA is in Transparent mode, it is possible to route the traffic of L2 other VLAN different that the VLAN native IP for the firewall management lies?
Switches on the outside and the inside of the interfaces of the SAA are in trunk mode, and I'm moving ttraffic VLAN L2 from inside to outside and vice versa by using filters on switches (switchport trunk allowed vlan).
Thank you in advanced for your support and comments!
Yes it is possible, but you will be limited to 8 VLAN, or more precisely, 8 interfaces BVI so it's not a scalable solution. The problem is that you will need to have different VLANS to the same subnet at both ends of the SAA.
To clarify this point, lets say, you use the interface Gig0/1 and Gig0/2. Gig0/1, you would set up subinterfaces with VLAN 2, 3 and 4. Now, if you try to configure the same VLAN on Gig0/2, you will get an error saying something like this VLAN is already configured on another interface. I don't remember the exact error.
So to get this working, you need to configure Gig0/2 with subinterfaces for VLAN... lets say... 5, 6 and 7. you would then associate VLAN 2 and 5 with BVI 1, VLAN 3 and 6 with 2 Virgin Islands British and VLAN 4 and 7 with 3 British Virgin Islands. Each interface BVI would have its own IP address for the subnet on which is to be filled in all of the ASA.
--
Please do not forget to select a correct answer and rate useful posts
-
Cisco ASA 8.0.4 AnyConnect works do not with Vista and IE7
Hello
I currently have a Cisco ASA 5520 with the latest version of the Software ASA/AMPS/Anyconnect. However I can't get Vista and IE7 to connect using the free client anyconnect VPN error message following appears
"Setup could not start the Cisco VPN Client".
Is there a workaround for this.
Thanks in advance
Eoin
I'm glad you got it working :)
Please evaluate the positions if find you them useful.
Concerning
Farrukh
-
Can I save/backup/restore my entire macbook system with iCloud?
As above.
I just bought PC World/Currys know-how, that is to say, their version of the cloud. I don't like.
Apparently, it allows that a restore if my macbook pops up, stolen etc. iCloud should not cost much more. I suspect iCloud would work better with my mac. But, I can do as I ask above, IE, my mac restore everything from iCloud?
Know-how is all just too confusing. I can not even find were my photos are, and too many files have a big '?' by them.
Thank you.
No.... iCloud is no way to predict a backup everything on your Mac. This, to an external drive using the Time Machine application in your Applications folder.
-
I have a problem with a Cisco ASA 5505. ASA 9.0 (3) / ASDM 7.4 (1).
I did a factory reset, format flash, all copied from tftp.
Config copied from another SAA. Subsequently changed the host name entries.
connect host name
Crypto ca trustpoint ASDM_TrustPoint0
name of the object CN =connect
Crypto ca trustpoint ASDM_TrustPoint1
name of the object CN =connectASA works very well and the home tabs & follow-up in the works of the ASDM, but I'm not able to work on the configuration using ASDM :(
When I go to the Configuration tab, I get this message (which remains forever):
Please wait while the certificate information to be retrieved
I tried a 'webvpn all come back' and backup/reloading. Did not help.
Error message and flash content - see photo attached.
Suggestions are greatly appreciated.
ARO
Nils
HI Nils,
Please use the asdm 7.4.2 who has a lot of bugs.
Thank you
VR
-
Restore the backup to an external hard drive
original title: if I reinstall my Vista, how to make the backup on an external hard drive? Is it a procedure drag-and - déposer? I use a Seagate external hard drive and there is no help section.
Have run the back up to the external hard drive, I would like to know how to use it when I reinstall Vista Home Premium system.
Also, I tried to check the hard disk for errors, and he has not finished the event.
Assuming that you used the backup of Vista and made program a full backup and not an image backup (although some of these procedures include the restoration of a full image backup), here is some information to help you restore data. Try to read or at least most of the analytical documents before you start, so you get a good understanding of the process and the procedures involved. Restoring from an external hard drive is a little different from restoring a secondary internal hard drive, CD/DVD or Flash drive or on the network (although quite close to the procedure of network). If you have used the Vista backup program, you can not restore using drag-and-drop - you must use Vista restore program.
Here is an article on the restore procedure:http://www.vista4beginners.com/How-to-restore-files to make sure you do this right. It's a selective restore of a full or selective backup (not a full restore from a full backup) - but since you did a full backup, it matches your process more closely than would a full restore.
This is a GREAT article on the backup and restore processes in Vista http://technet.microsoft.com/en-us/magazine/2007.09.backup.aspx , but he won't go into detail about the restoration process - considering almost as easy, of course. But it teaches you a lot about what is possible and how to do it. It also focuses primarily on the full backup process, but he did mention the full backup and restore process as well.
Here is an article on the advanced use of restoration (during normal restore does not work):http://www.mayankraichura.com/post/2009/08/06/Avdvanced-Restore-via-Windows-Vista-Backup-and-Restore-Center.aspx.
Restore files from a backup
http://Windows.Microsoft.com/en-us/Windows-Vista/restore-files-from-a-backupBack up and restore: frequently asked questions
http://Windows.Microsoft.com/en-us/Windows-Vista/back-up-and-restore-frequently-asked-questionsI also found the following (but don't know if it of true or not):
1. after the start of "backup and Restore Center."
2. I chose "Advanced Restore"
3. I was did not an administrator password... maybe because my account is an administrator account.
4 choose "files from a backup made on a different computer.
5. in the dialog box indicating "Select the location of the backup to restore", select "hard drive, CD or DVD...". »
6. under the drop-down list box, select your drive/partition and continue
7. If all the backups on your drive, it will show a list of them.
8. in my case, he showed a backup, but in the backup location, it will show "backup location is not available."
9. I was frustrated, but then I somehow just select this backup (Yes... even if he said that thebackup location is not available " ")
10. and you press "next".
11 guess what... no error!
12. a window appeared asking me if I wanted to do a full restore, or I want to select specific folders or files.
13. I selected the folders I wanted to restore and bingo... it their restored smoothly.
14. so that the next time see a mistake, try to continue with him... ;)
I don't know if this will help, but it does not provide much information about the process (when it works and even when it does not).
I hope this helps.
Good luck!
Lorien - MCSA/MCSE/network + / has + - if this post solves your problem, please click the 'Mark as answer' or 'Useful' button at the top of this message. Marking a post as answer, or relatively useful, you help others find the answer more quickly.
-
n00b questions.
I have to renew my SSL certificate of identity soon on my Cisco ASA 5505. I'll have to renew all my certificates for client on their devices, so they can establish a vpn tunnel?
Hi dsartoros,
If you encounter a self signed (generated locally) identity certificate renewed, then you will need to download this certificate on the clients so that they can connect without getting "untrusted server certificate error".
If you renew a certificate issued by a 3rd party CA (sending of CSR to CA) and certificate, then you will not need to make any changes on the client as they already trust the certification authority that issues the certificate first root.
Kind regards
Dinesh MoudgilPS Please rate helpful messages.
-
Cisco ASA IPSEC from the understanding of a site to tunnel auth using certificates
assuming that my company and another company (BBT) attempt to set up a tunnel to a site by using certificates. lets say we have asa 5520 s and have agreed to use says that our certification authority.
On my end, I do registration certificate using SCEP Protocol and suggests that the end BBT is set up exactly the same way.
First, I generate a pair of keys RSA - Im assuming that it is key to my ASA public private for the encryption and decryption-(pls correct me if wrong Im)
Then I set up a trustpoint to registration certificate (in this case, it will be Server CA Entrust). I will set up my full domain name and the parameters of CRL.
Then, I get a certificate of the AC CA. This package contains a fingerprint of the certificate which is loaded on my ASA. apparently - the fingerprint of the certificate is used by the 'end' entity to authenticate the received CA certificate. Why would the final entity to authenticate a CA certificate that has already been installed on this subject?
In other words, what really does this print? Surely this cant be the same footprint that GETS installed on the BBT ASA?Finally, I request and install a certificate of identity. It asks for a password? I believe that it is used in case I want to make changes to the certificate, such as the revocation of the certificate. (Once again, please correct me if wrong Im)
a few additional questions
during the phase of authentication isakmp how my asa verifies that the certificate that the ASA BBT sent was indeed signed by the certification authority approved. How exactly?
My ASA and ASA BBT must trust the same CA. In other words, it must be set up the same trustpoints?
or can I have to entrust CA server as a trustpoint and verisign?How the certificate authentication process works since the ASA receives valuable traffic through the exchange of encrypted data?
1 million thanks!
Hello west33637,
You can read this document to get a simple example of setting up a VPN S2S using certificates on an ASA
http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a0080aa5be1.shtml
I would try to separate your questions and see if I can answer. I will speak without using the SCEP Protocol because it adds a layer of complexity that can be confusing.
(Q) Comment can I get a certificate?
1 generate a RSA key pair. A pair of RSA keys as you indicate has a public and private key. Public and private keys are large number created by multiplying the other prime number (very simple explanation). These keys are used for encryption simple control. The private key is kept private and never awarded. The public key is provided for everyone through the certificate received from the device.
Data encrypted by the public key can only be decrypted by the private key and vice versa.
more details here: http://en.wikipedia.org/wiki/RSA
2. we create a trustpoint (container to configure and set parameters in the certificate). In the trustpoint that we associate the RSA key pair, give a name (usually the FQDN of the server that will present this certificate), configure if certificates that are authenticated by the trustpoint must also be checked in the LCR... etc.
3. then we can create CSR using the crypto ca enroll command. Now, we take this REA and provide it to Entrust. If this is done via the SCEP protocol you would have already done the next step of the authentication of the trustpoint.
4. When you receive a certificate from a third party, such as Entrust, they should also provide the certificate chain that allows the authentication of the certificate that they have signed all the way upward at the root (self-signed certificate server, the certificate must already be approved by most of the systems of operation/web-browsers). We want to install the string in the ASA because the ASA does not trust any certificate by default, it has an empty certificate store.
5. on the SAA, we now install the string provided by Entrust. Usually your identification certificate will be signed by an intermediate CA, just like the certificate of supportforums.cisco.com. Trustpoint ASA system for a CA (root or intermediate) and an ID (identity) by trustpoint. So we will probably have at least a trustpoint more.
Crypto ca trustpoint Entrust_ROOT
Terminal registration
output
authenticate the crypto ca trustpoint Entrust_ROOT
Don't forget to use trustpoint names who will lead them to you and your organization. Create a trustpoint for each of the CA certificates except for the signer of the certificate direct to your ID. Authenticate the signer directly in the trustpoint even where you install your certificate ID.
the import of crypto ca trustpoint ID certificate.
You should now have a fully usable authenticated certificate. PKCS12 import require a certificate to decrypt the private key that is stored in a PKCS12. But if you generate your CSR on the same device that when you install the certificate, then it would not need to export PKCS12 and a password.
---
A small side is not on the signature, a signature of certificate (fingerprint), also known as the name of a digital signature is a hash of the certificate encrypted with the signer's private key. As we know, whatever it is encrypted with a key only can be decrypted by the public key... all those who approves the signer's public key. So when you receive the certificate, and you already trust the signer, then 1) to decrypt the signature and 2) check that your certificate hash table corresponds to the decrypted hash... If the decrypted hash does not match then you do not trust the certificate.
For example, you can watch the certificate for supportforums.cisco.com,
The topic is: CN = supportforums.cisco.com
The subject of sender (signatory) is CN = Akamai subordinate CA 3
Akamai subordinate CA 3 is an intermediate certification authority. It is not self-signed
CN = Akamai subordinate CA 3 issuer is CN = GTE CyberTrust Global Root
CN = GTE CyberTrust Global Root is a certificate root (Self signed).
We would like to install this entire chain in the ASA so that we can provide this certificate and chain to any device and safely as long as this device trusts CN = GTE CyberTrust Global Root, then it should be able to verify the signatures of the intermediary and, finally, our certificate of identity of us trust.
---
Looking for another post to do a quick discussion about how the certificate is used in ISAKMP and IPSec.
Kind regards
Craig -
Cisco ASA 5505 and comodo SSL certificate
Hey all,.
I'm having a problem with setting up the piece of Certificate SSL of Cisco AnyConnect VPN. I bought the certificate and installed it via the ASDM under Configuration > VPN remote access > Certificate Management > identity certificates. I also placed the piece of 2 CA under the CA certificates. I have http redirect to https and under my browser, it is green.
Once the AnyConnect client installs and automatically connect I get no error or anything. The minute I disconnect and try to reconnect again, I get the "VPN Server untrusted certificates! ' which is not true because the connection information to be https://vpn.mydomain.com and the SSL certificate is configured as vpn.mydomain.com.
On that note, it lists the IP address instead of the vpn.mydomain.com as the unreliable piece of this. Now of course I don't have the IP as part of the SSL-cert, just the web address. On the side of the web, I have a record A Setup to go from vpn.mydomain.com to the IP address of the Cisco ASA.
What I'm missing here? I can post config if anyone needs.
(My Version of the Software ASA is 9.0 (2) and ASDM Version 7.1 (2))
Yes that's correct. technically, it will take you to EKU as keys to authenticate server who was a little forced in version 3.1. But eventually, he was taken away. If you get no error using the browser and ot only comes with the anyconnect client. Most likely, you do not have to configured values. I can confirm that if you can share the fqdn with me also, you can try the upgrade and check it out.
Thank you
Bad Boy
-
Migrate certificates on Cisco ASA
Hello
I'm migrating an ASA5520 to an ASA5525-x. I'm just going through the configs and copy the bias.
How can I migrate on certificates?
Thank you
If it's a public certificate signed PKI, not easily. You must have the private key of the server (ASA) for use on an another ASA. Unless you checked exportable at creation time, it is not exportable by default.
You could inform you as to whether the issuer will be re-edited if you submit a new CSR.
-
False claims RADIUS of customer VPN Cisco ASA 5510
Hello world
I use the Cisco VPN client 5.0.7 and Cisco ASA 5510 (7.4 and 8.4.2) VPN RAS solution. Clients are authenticated using certificates and RADIUS AAA (ACS 3.3) and AD.
Each time, when the client connects, ASA 2 RADIUS requests questions, correct first - which is successfully authenticated by FAC and immediately - second that always fails. I couldn't find information related to this strange behaivor. Function "Double Authentication" (more sympathetic to his name) is only accessible to Anyconnect customers who we do not. When I'm authenicated by using password group, there is only one query RADIUS.
What is the source of such behavior?
The negative impact is that my logs are filled with the failed authentication attempts fallacious and users are incrementig attempts failed in the AD meter.
Debugging of ASA:
-First application-
RDS 2011-10-24 16:16:01 0232 14884 request code 172.16.8.1:1645 host = 1 id = 22, length = 145 on port 1025
RDS 2011-10-24 16:16:01 I 2519 14884 [001] value of username: User1
RDS 2011-10-24 16:16:01 I 2519 14884 [002] value username-password: 2D A9 B2 D0 15 5F 1E B8 BB DB 3A 38 F5 24 72 B5
RDS 2011-10-24 16:16:01 I 2538 14884 [005] NAS-Port value:-1072693248
RDS 2011-10-24 16:16:01 I 2538 14884 [006] Type of Service value: 2
RDS 2011-10-24 16:16:01 I 2538 14884 [007] value Framed-Protocol: 1
RDS 2011-10-24 16:16:01 I 2519 14884 [030] value Called-Station-Id: 172.16.8.1
RDS 2011-10-24 16:16:01 I 2519 14884 [031] value of Calling-Station-Id: 10.4.14.14
RDS 2011-10-24 16:16:01 I 2538 14884 [061] NAS-Port-Type value: 5
RDS 2011-10-24 16:16:01 I 2533 14884 [066] Tunnel-Client-Endpoint value: [T1] 10.4.14.14
RDS 2011-10-24 16:16:01 I 14884 2556 [004] value of NAS-IP-Address: 172.16.8.1
RDS 2011-10-24 16:16:01 I 2561 14884 [026] Vendor-Specific vsa id: 9
RDS 2011-10-24 16:16:01 I 2596 14884 [001] cisco-av-pair value: ip:source - ip = 10.4.14.14
RDS 2011-10-24 16:16:01 I 0282 14884 ExtensionPoint: run the configured scan extension points...
RDS 2011-10-24 16:16:01 I 0314 14884 ExtensionPoint: advertising [AuthenticationExtension] provider [Cisco EAP generic]
RDS 2011-10-24 16:16:01 I 0763 14884 ExtensionPoint: Message-[generic EAP] lack of EAP, ignorant...
RDS 2011-10-24 16:16:01 I 0319 14884 ExtensionPoint: [GenericEAP.dll-> AuthenticationExtension] returned [1 - ignored]
RDS 2011-10-24 16:16:01 I 0314 14884 ExtensionPoint: asking provider [Download Cisco ACL] [AuthenticationExtension]
RDS 2011-10-24 16:16:01 I 0763 14884 ExtensionPoint: [DnldACLs] asking not a download of ACL, ignorant...
RDS 2011-10-24 16:16:01 I 0319 14884 ExtensionPoint: [DnldACLs.dll-> AuthenticationExtension] returned [1 - ignored]
RDS 2011-10-24 16:16:02 I 14884 0475 AuthorExtensionPoint: run the configured scan extension points...
RDS 2011-10-24 16:16:02 I 14884 0507 AuthorExtensionPoint: requesting provider [Download Cisco ACL] [AuthorisationExtension]
RDS 2011-10-24 16:16:02 I 0763 14884 ExtensionPoint: looking for ACL from [DnldACLs] to [user1]
RDS 2011-10-24 16:16:02 I 0512 14884 AuthorExtensionPoint: [DnldACLs.dll-> AuthorisationExtension] returned [1 - ignored]
RDS 2011-10-24 16:16:02 3360 14884 sent response code 2, id 22 to 172.16.8.1 on port 1025
RDS 2011-10-24 16:16:02 I 2561 14884 [026] Vendor-Specific vsa id: 9
RDS 2011-10-24 16:16:02 I 2596 14884 [001] cisco-av-pair value: ip:addr - pool = vpnpool
RDS 2011-10-24 16:16:02 I 2561 14884 [026] Vendor-Specific vsa id: 9
RDS 2011-10-24 16:16:02 I 2596 14884 [001] cisco-av-pair value: ip:wins - servers = 10.2.9.12 10.3.9.10 10.4.2.202
RDS 2011-10-24 16:16:02 I 2561 14884 [026] Vendor-Specific vsa id: 9
RDS 2011-10-24 16:16:02 I 2596 14884 [001] cisco-av-pair value: IP: DNS-servers = 10.2.9.12 10.3.9.10 10.4.2.202
RDS 2011-10-24 16:16:02 I 2538 14884 [006] Type of Service value: 2
RDS 2011-10-24 16:16:02 I 2538 14884 [007] value Framed-Protocol: 1
RDS 2011-10-24 16:16:02 I 2538 14884 [013] box-Compression value: 1
RDS 2011-10-24 16:16:02 I 14884 2556 [008] value box-IP-Address: 255.255.255.254
RDS 2011-10-24 16:16:02 I 2519 14884 [025] value class: CISCOACS:002cb2a9/ac100801/3222274048
-The second request-
RDS 2011-10-24 16:16:02 0232 14884 request code 172.16.8.1:1645 host = 1 id = 23, length = 145 on port 1025
RDS 2011-10-24 16:16:02 I 2519 14884 [001] value of username: User1
RDS 2011-10-24 16:16:02 I 2519 14884 [002] value username-password: 06 EA 08 AB C7 8F 75 D0 A5 E5 AE B7 A8 1 48 96 b
RDS 2011-10-24 16:16:02 I 2538 14884 [005] NAS-Port value:-1072693248
RDS 2011-10-24 16:16:02 I 2538 14884 [006] Type of Service value: 2
RDS 2011-10-24 16:16:02 I 2538 14884 [007] value Framed-Protocol: 1
RDS 2011-10-24 16:16:02 I 2519 14884 [030] value Called-Station-Id: 172.16.8.1
RDS 2011-10-24 16:16:02 I 2519 14884 [031] value of Calling-Station-Id: 10.4.14.14
RDS 2011-10-24 16:16:02 I 2538 14884 [061] NAS-Port-Type value: 5
RDS 2011-10-24 16:16:02 I 2533 14884 [066] Tunnel-Client-Endpoint value: [T1] 10.4.14.14
RDS 2011-10-24 16:16:02 I 14884 2556 [004] value of NAS-IP-Address: 172.16.8.1
RDS 2011-10-24 16:16:02 I 2561 14884 [026] Vendor-Specific vsa id: 9
RDS 2011-10-24 16:16:02 I 2596 14884 [001] cisco-av-pair value: ip:source - ip = 10.4.14.14
RDS 2011-10-24 16:16:02 I 0282 14884 ExtensionPoint: run the configured scan extension points...
RDS 2011-10-24 16:16:02 I 0314 14884 ExtensionPoint: advertising [AuthenticationExtension] provider [Cisco EAP generic]
RDS 2011-10-24 16:16:02 I 0763 14884 ExtensionPoint: Message-[generic EAP] lack of EAP, ignorant...
RDS 2011-10-24 16:16:02 I 0319 14884 ExtensionPoint: [GenericEAP.dll-> AuthenticationExtension] returned [1 - ignored]
RDS 2011-10-24 16:16:02 I 0314 14884 ExtensionPoint: asking provider [Download Cisco ACL] [AuthenticationExtension]
RDS 2011-10-24 16:16:02 I 0763 14884 ExtensionPoint: [DnldACLs] asking not a download of ACL, ignorant...
RDS 2011-10-24 16:16:02 I 0319 14884 ExtensionPoint: [DnldACLs.dll-> AuthenticationExtension] returned [1 - ignored]
RDS 2011-10-24 16:16:02 P 2237 14884 user: User1 - Windows user unknown or invalid password
RDS 2011-10-24 16:16:02 3360 14884 sent response code 3, id 23 to 172.16.8.1 on port 1025
RDS 2011-10-24 16:16:02 I 2519 14884 [018] value Reply-Message: rejected...
RDS 2011-10-24 16:16:03 0232 14884 request code 10.2.47.200:1812 host = 1 id = 254, length = 227 on port 32769
RDS 2011-10-24 16:16:03 2788 14884 (VSA unknown Vendor ID 14179)
GBA debug:
-First application-
AUTH 24/10/2011 16:16:01 I 0365 13060 external DB [NTAuthenDLL.dll]: from [user01] user authentication
AUTH 24/10/2011 16:16:01 I 0365 13060 external DB [NTAuthenDLL.dll]: Windows authentication attempt for the user1 userAUTH 24/10/2011 16:16:02 I 0365 13060 external DB [NTAuthenDLL.dll]: authentication Windows successfully (by DCCORPMSK04)
AUTH 24/10/2011 16:16:02 I 0365 13060 external DB [NTAuthenDLL.dll]: information get RAS to the user user1 DCCORPMSK04-The second request-
AUTH 24/10/2011 16:16:02 I 0365 13060 external DB [NTAuthenDLL.dll]: from [user1] user authentication
AUTH 24/10/2011 16:16:02 I 0365 13060 external DB [NTAuthenDLL.dll]: Windows authentication attempt for the user1 user
AUTH 24/10/2011 16:16:02 0365 13060 external DB [NTAuthenDLL.dll]: Windows authentication FAILED (Error 1326 L)
AUTH 24/10/2011 16:16:02 I 0365 13060 external DB [NTAuthenDLL.dll]: retry authentication to the CORP domain
AUTH 24/10/2011 16:16:02 I 0365 13060 external DB [NTAuthenDLL.dll]: Windows authentication attempt for the user1 user
AUTH 24/10/2011 16:16:02 0365 13060 external DB [NTAuthenDLL.dll]: Windows authentication FAILED (Error 1326 L)The ASA config:
Crypto ikev1 allow outside
Crypto ikev1 allow inside
IKEv1 crypto ipsec-over-tcp port 10000
life 86400
IKEv1 crypto policy 65535
authentication rsa - sig
3des encryption
md5 hash
Group 2
life 86400!
internal Cert_auth group strategy
attributes of Group Policy Cert_auth
client ssl-VPN-tunnel-Protocol ikev1 l2tp ipsec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list aclVPN2
the address value vpnpool pools
rule of access-client-none!
attributes global-tunnel-group DefaultRAGroup
address (inside) vpnpool pool
address vpnpool pool
authentication-server-group RADIUS01
authorization-server-group RADIUS01
authorization-server-group (inside) RADIUS01
Group Policy - by default-Cert_auth!
RADIUS protocol AAA-server RADIUS01
AAA-server host 10.2.9.224 RADIUS01 (inside)
key *.
RADIUS-common-pw *.
AAA-server host 10.4.2.223 RADIUS01 (inside)
key *.Hello
It is a 'classic' error and has nothing to do with dual authentication, but rather with the fact that you do both radius and authorization of RADIUS authentication.
If you remove this line:
authorization-server-group RADIUS01
you will see that it starts to work properly
In short: when ASA no authorization of RADIUS, it sends a request to access radius with the username as a password, that's why you see the second application fails all the time.
This is because the RADIUS authorization is intended to be used when authentication happens using certificates (only) so there is no password.
Also note that within the RADIUS protocol, authentication and authorization are not separate things, both occur in a single step. So if the ASA makes the radius authentication, he already gets the user attributes in the authentication step and it makes no sense to also make a separate authorization stage (except in a few very rare scenario where you have 2 radius servers, one for authentication and another for permission).
HTH
Herbert
-
I'm trying to import and backup/restore/Choose file... / after backup correctly and I see the file, but there is no JSON extension. What can I do?
I backed up my favorites using 'import and backup/Backup' on an external HD, installed Windows 10 and went to restore my bookmarks and noticed the file named "Firefox bookmarks-2015-09-04"had no extension and does not work."
Please advise! Thank you! Sincerely, s
If you add the .json extension, it works then? Why people who design browsers or extensions them do create files with no extension name, in spite that these extension names are essential to make the files can be restored? I could never understand that.
-
Backup Restore Time Machine: not enough space
Hi all, I am a neophyte tech so forgive me if I'm not clear. I will try to explain the problem as best I can:
I have an old MacBook 2009 running Mountain Lion. A few months ago, my brother gave me his old Pro and so my MacBook 2009 fell by the wayside. I used an external hard drive with that old computer as my backup time machine, but as I tried to transfer a lot of documents and photos and update of dropbox and download photos of google and to understand each of these things as I went along, I totally messed up the MacBook. Just... things are weird... nothing was, where it used to be and my photos were gone and Yes, much of this is probably down to me trying to understand a bunch of new programs at once, BUT what I want to do is to restore it to the way it was using a time machine backup.
So, I googled around and I know when I start it up until I'm supposed to press Ctrl + R and choose the backup that I want, but when it gets to the part where I select a destination and click the only option (the Mac HD), an error message appears with a yellow flag saying "this disc is not enough space to restore your system.
Now, I don't really know what that means, but what I want to do is to get rid of the current way, this computer is completely and attach it to the way it was when I did the last Time Machine backup.
Someone help me please... this stuff is so frustrating when I can't figure it out for me and I am sure that there is an easy solution. I read a lot about partitions etc. but I don't know what all of this means that even.
Thank you in advance!
Alexandria
Boot into Recovery now command + R to start. Choose disk utility and erase the boot volume, it should be named Macintosh HD, unless you renamed it. When the erase is quit disk utility and choose to restore from your Time Machine backup. OS X: on OS X Recovery - Apple Support
-
I have an Acer Aspire One 532 H Netbook. I could do a system backup/restore through the eRecovery without any extra utility of Windows 7 to Acer recovery? If I have such software, how can I get it? Because my netbook not came with any utility recovery/program when I bought it. Need to respond as soon as POSSIBLE, my netbook is dying with the longer startup time and more.
Nice day
You must back up your data to an external HARD disk, etc. To reload your factory machine, click Start, all programs, acer erecovery management, restoration and completely restore the factory settings.
Kind regards
FReeZA
-
change the backup/restore disc
can I change this disk will my backup/restore point to? He uses my external drive now even if I didn't change it. I have a laptop & cannot bet that the external drive connects or is connected.
HI RJHinSA,
You can go there. This is guidance on how to change to the high places.
If you need more information, simply open help, support and type "how to make the backup.
Change when you save your filesWhen you configure your computer to automatically back up files, you specify a location where the files will be stored. You can change this location if you run out of space in the current location or you want to change the type of storage location (for example, a DVD, a hard disk on your computer or a shared folder on another computer on a network).
Click to open the backup center and restoration.
Click on change settings.
Click on modify backup settings and follow the steps in the wizard. If you are prompted for an administrator password or a confirmation, type the password or provide confirmation.
Matt Hudson
Microsoft Answers Support Engineer
Visit our Microsoft answers feedback Forum and let us know what you think.
Maybe you are looking for
-
where can I find the answer to my problem?
-
Photos of the tablet with the photosmart
How can I get my pictures from my samsung p5100 tablet to my hp photosmart a516
-
Hi every time that windows starts up I get the following error and messenger accidents: Signature of the problem: Problem event name: APPCRASH Application name: msnmsgr.exe Application version: 15.3.2804.607 Application timestamp: 4c0d8a2e Fault Modu
-
ppsObject where to find the meaning of the error message
I try to get push working within an application and I get the following error Failed to read Locale pps, errno=240 I think that it's triggered by BlackBerry libraries is not a reason any here I can see that the error number is an attribute of ppsObje
-
Hub of Smartphones BlackBerry blackBerry (BlackBerry Priv)
The ability to organize accounts in the hub of BlackBerry (BlackBerry Priv) does not. Thank you.