Cisco ASA 55xx. Backup/restore an external certificate signed with ASDM

I have a Cisco ASA 5510, which is used for our VPN. It has an externally signed certs from Digicert. I replace the 5510 with a Cisco 5545 and wondered with ASDM can I save the cert of the 5510 and give the 5545. Or should I get an another reissued certs from Digicert and install from scratch. Is there something to look out for that set games with public/private keys, etc. Please let me know.

You guessed it right, Edwin

As long as you want just to maintain the certificate configuration, it is what you need to.
Make sure that you install the root and root under new ASA certificate as well as one can extract this PKCS12 certificate.

Kind regards
Dinesh Moudgil

PS Please rate helpful messages.

Tags: Cisco Security

Similar Questions

  • Cisco ASA 55XX Transparent mode through a VLAN

    Hello team Cisco Forum!

    In a scenario where the Cisco ASA is in Transparent mode, it is possible to route the traffic of L2 other VLAN different that the VLAN native IP for the firewall management lies?

    Switches on the outside and the inside of the interfaces of the SAA are in trunk mode, and I'm moving ttraffic VLAN L2 from inside to outside and vice versa by using filters on switches (switchport trunk allowed vlan).

    Thank you in advanced for your support and comments!

    Yes it is possible, but you will be limited to 8 VLAN, or more precisely, 8 interfaces BVI so it's not a scalable solution.  The problem is that you will need to have different VLANS to the same subnet at both ends of the SAA.

    To clarify this point, lets say, you use the interface Gig0/1 and Gig0/2.  Gig0/1, you would set up subinterfaces with VLAN 2, 3 and 4.  Now, if you try to configure the same VLAN on Gig0/2, you will get an error saying something like this VLAN is already configured on another interface. I don't remember the exact error.

    So to get this working, you need to configure Gig0/2 with subinterfaces for VLAN... lets say... 5, 6 and 7.  you would then associate VLAN 2 and 5 with BVI 1, VLAN 3 and 6 with 2 Virgin Islands British and VLAN 4 and 7 with 3 British Virgin Islands.  Each interface BVI would have its own IP address for the subnet on which is to be filled in all of the ASA.

    --

    Please do not forget to select a correct answer and rate useful posts

  • Cisco ASA 8.0.4 AnyConnect works do not with Vista and IE7

    Hello

    I currently have a Cisco ASA 5520 with the latest version of the Software ASA/AMPS/Anyconnect. However I can't get Vista and IE7 to connect using the free client anyconnect VPN error message following appears

    "Setup could not start the Cisco VPN Client".

    Is there a workaround for this.

    Thanks in advance

    Eoin

    I'm glad you got it working :)

    Please evaluate the positions if find you them useful.

    Concerning

    Farrukh

  • Can I save/backup/restore my entire macbook system with iCloud?

    As above.

    I just bought PC World/Currys know-how, that is to say, their version of the cloud.  I don't like.

    Apparently, it allows that a restore if my macbook pops up, stolen etc.  iCloud should not cost much more.  I suspect iCloud would work better with my mac.  But, I can do as I ask above, IE, my mac restore everything from iCloud?

    Know-how is all just too confusing.  I can not even find were my photos are, and too many files have a big '?' by them.

    Thank you.

    No.... iCloud is no way to predict a backup everything on your Mac. This, to an external drive using the Time Machine application in your Applications folder.

  • Cisco ASA - ASDM will not launch (Please wait while the certificate information to be retrieved)

    I have a problem with a Cisco ASA 5505. ASA 9.0 (3) / ASDM 7.4 (1).

    I did a factory reset, format flash, all copied from tftp.

    Config copied from another SAA. Subsequently changed the host name entries.

    connect host name

    Crypto ca trustpoint ASDM_TrustPoint0
    name of the object CN =connect
    Crypto ca trustpoint ASDM_TrustPoint1
    name of the object CN =connect

    ASA works very well and the home tabs & follow-up in the works of the ASDM, but I'm not able to work on the configuration using ASDM :(

    When I go to the Configuration tab, I get this message (which remains forever):

    Please wait while the certificate information to be retrieved

    I tried a 'webvpn all come back' and backup/reloading. Did not help.

    Error message and flash content - see photo attached.

    Suggestions are greatly appreciated.

    ARO

    Nils

    HI Nils,

    Please use the asdm 7.4.2 who has a lot of bugs.

    Thank you

    VR

  • Restore the backup to an external hard drive

    original title: if I reinstall my Vista, how to make the backup on an external hard drive? Is it a procedure drag-and - déposer? I use a Seagate external hard drive and there is no help section.

    Have run the back up to the external hard drive, I would like to know how to use it when I reinstall Vista Home Premium system.

    Also, I tried to check the hard disk for errors, and he has not finished the event.

    Assuming that you used the backup of Vista and made program a full backup and not an image backup (although some of these procedures include the restoration of a full image backup), here is some information to help you restore data.  Try to read or at least most of the analytical documents before you start, so you get a good understanding of the process and the procedures involved.  Restoring from an external hard drive is a little different from restoring a secondary internal hard drive, CD/DVD or Flash drive or on the network (although quite close to the procedure of network). If you have used the Vista backup program, you can not restore using drag-and-drop - you must use Vista restore program.

    Here is an article on the restore procedure:http://www.vista4beginners.com/How-to-restore-files to make sure you do this right.  It's a selective restore of a full or selective backup (not a full restore from a full backup) - but since you did a full backup, it matches your process more closely than would a full restore.

    This is a GREAT article on the backup and restore processes in Vista http://technet.microsoft.com/en-us/magazine/2007.09.backup.aspx , but he won't go into detail about the restoration process - considering almost as easy, of course.  But it teaches you a lot about what is possible and how to do it.  It also focuses primarily on the full backup process, but he did mention the full backup and restore process as well.

    Here is an article on the advanced use of restoration (during normal restore does not work):http://www.mayankraichura.com/post/2009/08/06/Avdvanced-Restore-via-Windows-Vista-Backup-and-Restore-Center.aspx.

    Restore files from a backup
    http://Windows.Microsoft.com/en-us/Windows-Vista/restore-files-from-a-backup

    Back up and restore: frequently asked questions
    http://Windows.Microsoft.com/en-us/Windows-Vista/back-up-and-restore-frequently-asked-questions

    I also found the following (but don't know if it of true or not):

    1. after the start of "backup and Restore Center."

    2. I chose "Advanced Restore"

    3. I was did not an administrator password... maybe because my account is an administrator account.

    4 choose "files from a backup made on a different computer.

    5. in the dialog box indicating "Select the location of the backup to restore", select "hard drive, CD or DVD...". »

    6. under the drop-down list box, select your drive/partition and continue

    7. If all the backups on your drive, it will show a list of them.

    8. in my case, he showed a backup, but in the backup location, it will show "backup location is not available."

    9. I was frustrated, but then I somehow just select this backup (Yes... even if he said that thebackup location is not available " ")

    10. and you press "next".

    11 guess what... no error!

    12. a window appeared asking me if I wanted to do a full restore, or I want to select specific folders or files.

    13. I selected the folders I wanted to restore and bingo... it their restored smoothly.

    14. so that the next time see a mistake, try to continue with him... ;)

    I don't know if this will help, but it does not provide much information about the process (when it works and even when it does not).

    I hope this helps.

    Good luck!

    Lorien - MCSA/MCSE/network + / has + - if this post solves your problem, please click the 'Mark as answer' or 'Useful' button at the top of this message. Marking a post as answer, or relatively useful, you help others find the answer more quickly.

  • Renew the certificate of identity on Cisco ASA 5505, do I have to renew all user certificates?

    n00b questions.

    I have to renew my SSL certificate of identity soon on my Cisco ASA 5505.  I'll have to renew all my certificates for client on their devices, so they can establish a vpn tunnel?

    Hi dsartoros,

    If you encounter a self signed (generated locally) identity certificate renewed, then you will need to download this certificate on the clients so that they can connect without getting "untrusted server certificate error".

    If you renew a certificate issued by a 3rd party CA (sending of CSR to CA) and certificate, then you will not need to make any changes on the client as they already trust the certification authority that issues the certificate first root.

    Kind regards
    Dinesh Moudgil

    PS Please rate helpful messages.

  • Cisco ASA IPSEC from the understanding of a site to tunnel auth using certificates

    assuming that my company and another company (BBT) attempt to set up a tunnel to a site by using certificates. lets say we have asa 5520 s and have agreed to use says that our certification authority.

    On my end, I do registration certificate using SCEP Protocol and suggests that the end BBT is set up exactly the same way.

    First, I generate a pair of keys RSA - Im assuming that it is key to my ASA public private for the encryption and decryption-(pls correct me if wrong Im)

    Then I set up a trustpoint to registration certificate (in this case, it will be Server CA Entrust). I will set up my full domain name and the parameters of CRL.

    Then, I get a certificate of the AC CA. This package contains a fingerprint of the certificate which is loaded on my ASA. apparently - the fingerprint of the certificate is used by the 'end' entity to authenticate the received CA certificate. Why would the final entity to authenticate a CA certificate that has already been installed on this subject?
    In other words, what really does this print? Surely this cant be the same footprint that GETS installed on the BBT ASA?

    Finally, I request and install a certificate of identity. It asks for a password? I believe that it is used in case I want to make changes to the certificate, such as the revocation of the certificate. (Once again, please correct me if wrong Im)

    a few additional questions

    during the phase of authentication isakmp how my asa verifies that the certificate that the ASA BBT sent was indeed signed by the certification authority approved. How exactly?

    My ASA and ASA BBT must trust the same CA. In other words, it must be set up the same trustpoints?
    or can I have to entrust CA server as a trustpoint and verisign?

    How the certificate authentication process works since the ASA receives valuable traffic through the exchange of encrypted data?

    1 million thanks!

    Hello west33637,

    You can read this document to get a simple example of setting up a VPN S2S using certificates on an ASA

    http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a0080aa5be1.shtml

    I would try to separate your questions and see if I can answer.  I will speak without using the SCEP Protocol because it adds a layer of complexity that can be confusing.

    (Q) Comment can I get a certificate?

    1 generate a RSA key pair.  A pair of RSA keys as you indicate has a public and private key.  Public and private keys are large number created by multiplying the other prime number (very simple explanation).  These keys are used for encryption simple control.  The private key is kept private and never awarded.  The public key is provided for everyone through the certificate received from the device.

    Data encrypted by the public key can only be decrypted by the private key and vice versa.

    more details here: http://en.wikipedia.org/wiki/RSA

    2. we create a trustpoint (container to configure and set parameters in the certificate).  In the trustpoint that we associate the RSA key pair, give a name (usually the FQDN of the server that will present this certificate), configure if certificates that are authenticated by the trustpoint must also be checked in the LCR... etc.

    3. then we can create CSR using the crypto ca enroll command.  Now, we take this REA and provide it to Entrust.  If this is done via the SCEP protocol you would have already done the next step of the authentication of the trustpoint.

    4. When you receive a certificate from a third party, such as Entrust, they should also provide the certificate chain that allows the authentication of the certificate that they have signed all the way upward at the root (self-signed certificate server, the certificate must already be approved by most of the systems of operation/web-browsers).  We want to install the string in the ASA because the ASA does not trust any certificate by default, it has an empty certificate store.

    5. on the SAA, we now install the string provided by Entrust.  Usually your identification certificate will be signed by an intermediate CA, just like the certificate of supportforums.cisco.com.  Trustpoint ASA system for a CA (root or intermediate) and an ID (identity) by trustpoint.  So we will probably have at least a trustpoint more.

    Crypto ca trustpoint Entrust_ROOT

    Terminal registration

    output

    authenticate the crypto ca trustpoint Entrust_ROOT

    Don't forget to use trustpoint names who will lead them to you and your organization.  Create a trustpoint for each of the CA certificates except for the signer of the certificate direct to your ID.  Authenticate the signer directly in the trustpoint even where you install your certificate ID.

    the import of crypto ca trustpoint ID certificate.

    You should now have a fully usable authenticated certificate.  PKCS12 import require a certificate to decrypt the private key that is stored in a PKCS12.  But if you generate your CSR on the same device that when you install the certificate, then it would not need to export PKCS12 and a password.

    ---

    A small side is not on the signature, a signature of certificate (fingerprint), also known as the name of a digital signature is a hash of the certificate encrypted with the signer's private key.  As we know, whatever it is encrypted with a key only can be decrypted by the public key... all those who approves the signer's public key.  So when you receive the certificate, and you already trust the signer, then 1) to decrypt the signature and 2) check that your certificate hash table corresponds to the decrypted hash... If the decrypted hash does not match then you do not trust the certificate.

    For example, you can watch the certificate for supportforums.cisco.com,

    The topic is: CN = supportforums.cisco.com

    The subject of sender (signatory) is CN = Akamai subordinate CA 3

    Akamai subordinate CA 3 is an intermediate certification authority.  It is not self-signed

    CN = Akamai subordinate CA 3 issuer is CN = GTE CyberTrust Global Root

    CN = GTE CyberTrust Global Root is a certificate root (Self signed).

    We would like to install this entire chain in the ASA so that we can provide this certificate and chain to any device and safely as long as this device trusts CN = GTE CyberTrust Global Root, then it should be able to verify the signatures of the intermediary and, finally, our certificate of identity of us trust.

    ---

    Looking for another post to do a quick discussion about how the certificate is used in ISAKMP and IPSec.

    Kind regards
    Craig

  • Cisco ASA 5505 and comodo SSL certificate

    Hey all,.

    I'm having a problem with setting up the piece of Certificate SSL of Cisco AnyConnect VPN. I bought the certificate and installed it via the ASDM under Configuration > VPN remote access > Certificate Management > identity certificates. I also placed the piece of 2 CA under the CA certificates. I have http redirect to https and under my browser, it is green.

    Once the AnyConnect client installs and automatically connect I get no error or anything. The minute I disconnect and try to reconnect again, I get the "VPN Server untrusted certificates! ' which is not true because the connection information to be https://vpn.mydomain.com and the SSL certificate is configured as vpn.mydomain.com.

    On that note, it lists the IP address instead of the vpn.mydomain.com as the unreliable piece of this. Now of course I don't have the IP as part of the SSL-cert, just the web address. On the side of the web, I have a record A Setup to go from vpn.mydomain.com to the IP address of the Cisco ASA.

    What I'm missing here? I can post config if anyone needs.

    (My Version of the Software ASA is 9.0 (2) and ASDM Version 7.1 (2))

    Yes that's correct. technically, it will take you to EKU as keys to authenticate server who was a little forced in version 3.1. But eventually, he was taken away. If you get no error using the browser and ot only comes with the anyconnect client. Most likely, you do not have to configured values. I can confirm that if you can share the fqdn with me also, you can try the upgrade and check it out.

    Thank you

    Bad Boy

  • Migrate certificates on Cisco ASA

    Hello

    I'm migrating an ASA5520 to an ASA5525-x. I'm just going through the configs and copy the bias.

    How can I migrate on certificates?

    Thank you

    If it's a public certificate signed PKI, not easily. You must have the private key of the server (ASA) for use on an another ASA. Unless you checked exportable at creation time, it is not exportable by default.

    You could inform you as to whether the issuer will be re-edited if you submit a new CSR.

  • False claims RADIUS of customer VPN Cisco ASA 5510

    Hello world

    I use the Cisco VPN client 5.0.7 and Cisco ASA 5510 (7.4 and 8.4.2) VPN RAS solution. Clients are authenticated using certificates and RADIUS AAA (ACS 3.3) and AD.

    Each time, when the client connects, ASA 2 RADIUS requests questions, correct first - which is successfully authenticated by FAC and immediately - second that always fails. I couldn't find information related to this strange behaivor. Function "Double Authentication" (more sympathetic to his name) is only accessible to Anyconnect customers who we do not. When I'm authenicated by using password group, there is only one query RADIUS.

    What is the source of such behavior?

    The negative impact is that my logs are filled with the failed authentication attempts fallacious and users are incrementig attempts failed in the AD meter.

    Debugging of ASA:

    -First application-

    RDS 2011-10-24 16:16:01 0232 14884 request code 172.16.8.1:1645 host = 1 id = 22, length = 145 on port 1025

    RDS 2011-10-24 16:16:01 I 2519 14884 [001] value of username: User1

    RDS 2011-10-24 16:16:01 I 2519 14884 [002] value username-password: 2D A9 B2 D0 15 5F 1E B8 BB DB 3A 38 F5 24 72 B5

    RDS 2011-10-24 16:16:01 I 2538 14884 [005] NAS-Port value:-1072693248

    RDS 2011-10-24 16:16:01 I 2538 14884 [006] Type of Service value: 2

    RDS 2011-10-24 16:16:01 I 2538 14884 [007] value Framed-Protocol: 1

    RDS 2011-10-24 16:16:01 I 2519 14884 [030] value Called-Station-Id: 172.16.8.1

    RDS 2011-10-24 16:16:01 I 2519 14884 [031] value of Calling-Station-Id: 10.4.14.14

    RDS 2011-10-24 16:16:01 I 2538 14884 [061] NAS-Port-Type value: 5

    RDS 2011-10-24 16:16:01 I 2533 14884 [066] Tunnel-Client-Endpoint value: [T1] 10.4.14.14

    RDS 2011-10-24 16:16:01 I 14884 2556 [004] value of NAS-IP-Address: 172.16.8.1

    RDS 2011-10-24 16:16:01 I 2561 14884 [026] Vendor-Specific vsa id: 9

    RDS 2011-10-24 16:16:01 I 2596 14884 [001] cisco-av-pair value: ip:source - ip = 10.4.14.14

    RDS 2011-10-24 16:16:01 I 0282 14884 ExtensionPoint: run the configured scan extension points...

    RDS 2011-10-24 16:16:01 I 0314 14884 ExtensionPoint: advertising [AuthenticationExtension] provider [Cisco EAP generic]

    RDS 2011-10-24 16:16:01 I 0763 14884 ExtensionPoint: Message-[generic EAP] lack of EAP, ignorant...

    RDS 2011-10-24 16:16:01 I 0319 14884 ExtensionPoint: [GenericEAP.dll-> AuthenticationExtension] returned [1 - ignored]

    RDS 2011-10-24 16:16:01 I 0314 14884 ExtensionPoint: asking provider [Download Cisco ACL] [AuthenticationExtension]

    RDS 2011-10-24 16:16:01 I 0763 14884 ExtensionPoint: [DnldACLs] asking not a download of ACL, ignorant...

    RDS 2011-10-24 16:16:01 I 0319 14884 ExtensionPoint: [DnldACLs.dll-> AuthenticationExtension] returned [1 - ignored]

    RDS 2011-10-24 16:16:02 I 14884 0475 AuthorExtensionPoint: run the configured scan extension points...

    RDS 2011-10-24 16:16:02 I 14884 0507 AuthorExtensionPoint: requesting provider [Download Cisco ACL] [AuthorisationExtension]

    RDS 2011-10-24 16:16:02 I 0763 14884 ExtensionPoint: looking for ACL from [DnldACLs] to [user1]

    RDS 2011-10-24 16:16:02 I 0512 14884 AuthorExtensionPoint: [DnldACLs.dll-> AuthorisationExtension] returned [1 - ignored]

    RDS 2011-10-24 16:16:02 3360 14884 sent response code 2, id 22 to 172.16.8.1 on port 1025

    RDS 2011-10-24 16:16:02 I 2561 14884 [026] Vendor-Specific vsa id: 9

    RDS 2011-10-24 16:16:02 I 2596 14884 [001] cisco-av-pair value: ip:addr - pool = vpnpool

    RDS 2011-10-24 16:16:02 I 2561 14884 [026] Vendor-Specific vsa id: 9

    RDS 2011-10-24 16:16:02 I 2596 14884 [001] cisco-av-pair value: ip:wins - servers = 10.2.9.12 10.3.9.10 10.4.2.202

    RDS 2011-10-24 16:16:02 I 2561 14884 [026] Vendor-Specific vsa id: 9

    RDS 2011-10-24 16:16:02 I 2596 14884 [001] cisco-av-pair value: IP: DNS-servers = 10.2.9.12 10.3.9.10 10.4.2.202

    RDS 2011-10-24 16:16:02 I 2538 14884 [006] Type of Service value: 2

    RDS 2011-10-24 16:16:02 I 2538 14884 [007] value Framed-Protocol: 1

    RDS 2011-10-24 16:16:02 I 2538 14884 [013] box-Compression value: 1

    RDS 2011-10-24 16:16:02 I 14884 2556 [008] value box-IP-Address: 255.255.255.254

    RDS 2011-10-24 16:16:02 I 2519 14884 [025] value class: CISCOACS:002cb2a9/ac100801/3222274048

    -The second request-

    RDS 2011-10-24 16:16:02 0232 14884 request code 172.16.8.1:1645 host = 1 id = 23, length = 145 on port 1025

    RDS 2011-10-24 16:16:02 I 2519 14884 [001] value of username: User1

    RDS 2011-10-24 16:16:02 I 2519 14884 [002] value username-password: 06 EA 08 AB C7 8F 75 D0 A5 E5 AE B7 A8 1 48 96 b

    RDS 2011-10-24 16:16:02 I 2538 14884 [005] NAS-Port value:-1072693248

    RDS 2011-10-24 16:16:02 I 2538 14884 [006] Type of Service value: 2

    RDS 2011-10-24 16:16:02 I 2538 14884 [007] value Framed-Protocol: 1

    RDS 2011-10-24 16:16:02 I 2519 14884 [030] value Called-Station-Id: 172.16.8.1

    RDS 2011-10-24 16:16:02 I 2519 14884 [031] value of Calling-Station-Id: 10.4.14.14

    RDS 2011-10-24 16:16:02 I 2538 14884 [061] NAS-Port-Type value: 5

    RDS 2011-10-24 16:16:02 I 2533 14884 [066] Tunnel-Client-Endpoint value: [T1] 10.4.14.14

    RDS 2011-10-24 16:16:02 I 14884 2556 [004] value of NAS-IP-Address: 172.16.8.1

    RDS 2011-10-24 16:16:02 I 2561 14884 [026] Vendor-Specific vsa id: 9

    RDS 2011-10-24 16:16:02 I 2596 14884 [001] cisco-av-pair value: ip:source - ip = 10.4.14.14

    RDS 2011-10-24 16:16:02 I 0282 14884 ExtensionPoint: run the configured scan extension points...

    RDS 2011-10-24 16:16:02 I 0314 14884 ExtensionPoint: advertising [AuthenticationExtension] provider [Cisco EAP generic]

    RDS 2011-10-24 16:16:02 I 0763 14884 ExtensionPoint: Message-[generic EAP] lack of EAP, ignorant...

    RDS 2011-10-24 16:16:02 I 0319 14884 ExtensionPoint: [GenericEAP.dll-> AuthenticationExtension] returned [1 - ignored]

    RDS 2011-10-24 16:16:02 I 0314 14884 ExtensionPoint: asking provider [Download Cisco ACL] [AuthenticationExtension]

    RDS 2011-10-24 16:16:02 I 0763 14884 ExtensionPoint: [DnldACLs] asking not a download of ACL, ignorant...

    RDS 2011-10-24 16:16:02 I 0319 14884 ExtensionPoint: [DnldACLs.dll-> AuthenticationExtension] returned [1 - ignored]

    RDS 2011-10-24 16:16:02 P 2237 14884 user: User1 - Windows user unknown or invalid password

    RDS 2011-10-24 16:16:02 3360 14884 sent response code 3, id 23 to 172.16.8.1 on port 1025

    RDS 2011-10-24 16:16:02 I 2519 14884 [018] value Reply-Message: rejected...

    RDS 2011-10-24 16:16:03 0232 14884 request code 10.2.47.200:1812 host = 1 id = 254, length = 227 on port 32769

    RDS 2011-10-24 16:16:03 2788 14884 (VSA unknown Vendor ID 14179)

    GBA debug:

    -First application-

    AUTH 24/10/2011 16:16:01 I 0365 13060 external DB [NTAuthenDLL.dll]: from [user01] user authentication
    AUTH 24/10/2011 16:16:01 I 0365 13060 external DB [NTAuthenDLL.dll]: Windows authentication attempt for the user1 user

    AUTH 24/10/2011 16:16:02 I 0365 13060 external DB [NTAuthenDLL.dll]: authentication Windows successfully (by DCCORPMSK04)
    AUTH 24/10/2011 16:16:02 I 0365 13060 external DB [NTAuthenDLL.dll]: information get RAS to the user user1 DCCORPMSK04

    -The second request-
    AUTH 24/10/2011 16:16:02 I 0365 13060 external DB [NTAuthenDLL.dll]: from [user1] user authentication
    AUTH 24/10/2011 16:16:02 I 0365 13060 external DB [NTAuthenDLL.dll]: Windows authentication attempt for the user1 user
    AUTH 24/10/2011 16:16:02 0365 13060 external DB [NTAuthenDLL.dll]: Windows authentication FAILED (Error 1326 L)
    AUTH 24/10/2011 16:16:02 I 0365 13060 external DB [NTAuthenDLL.dll]: retry authentication to the CORP domain
    AUTH 24/10/2011 16:16:02 I 0365 13060 external DB [NTAuthenDLL.dll]: Windows authentication attempt for the user1 user
    AUTH 24/10/2011 16:16:02 0365 13060 external DB [NTAuthenDLL.dll]: Windows authentication FAILED (Error 1326 L)

    The ASA config:

    Crypto ikev1 allow outside
    Crypto ikev1 allow inside
    IKEv1 crypto ipsec-over-tcp port 10000
    life 86400
    IKEv1 crypto policy 65535
    authentication rsa - sig
    3des encryption
    md5 hash
    Group 2
    life 86400

    !

    internal Cert_auth group strategy
    attributes of Group Policy Cert_auth
    client ssl-VPN-tunnel-Protocol ikev1 l2tp ipsec
    Split-tunnel-policy tunnelspecified
    value of Split-tunnel-network-list aclVPN2
    the address value vpnpool pools
    rule of access-client-none

    !

    attributes global-tunnel-group DefaultRAGroup
    address (inside) vpnpool pool
    address vpnpool pool
    authentication-server-group RADIUS01
    authorization-server-group RADIUS01
    authorization-server-group (inside) RADIUS01
    Group Policy - by default-Cert_auth

    !

    RADIUS protocol AAA-server RADIUS01
    AAA-server host 10.2.9.224 RADIUS01 (inside)
    key *.
    RADIUS-common-pw *.
    AAA-server host 10.4.2.223 RADIUS01 (inside)
    key *.

    Hello

    It is a 'classic' error and has nothing to do with dual authentication, but rather with the fact that you do both radius and authorization of RADIUS authentication.

    If you remove this line:

    authorization-server-group RADIUS01

    you will see that it starts to work properly

    In short: when ASA no authorization of RADIUS, it sends a request to access radius with the username as a password, that's why you see the second application fails all the time.

    This is because the RADIUS authorization is intended to be used when authentication happens using certificates (only) so there is no password.

    Also note that within the RADIUS protocol, authentication and authorization are not separate things, both occur in a single step. So if the ASA makes the radius authentication, he already gets the user attributes in the authentication step and it makes no sense to also make a separate authorization stage (except in a few very rare scenario where you have 2 radius servers, one for authentication and another for permission).

    HTH

    Herbert

  • I'm trying to import and backup/restore/Choose file... / after backup correctly and I see the file, but there is no JSON extension. What can I do?

    I'm trying to import and backup/restore/Choose file... / after backup correctly and I see the file, but there is no JSON extension. What can I do?

    I backed up my favorites using 'import and backup/Backup' on an external HD, installed Windows 10 and went to restore my bookmarks and noticed the file named "Firefox bookmarks-2015-09-04"had no extension and does not work."

    Please advise! Thank you! Sincerely, s

    If you add the .json extension, it works then? Why people who design browsers or extensions them do create files with no extension name, in spite that these extension names are essential to make the files can be restored? I could never understand that.

  • Backup Restore Time Machine: not enough space

    Hi all, I am a neophyte tech so forgive me if I'm not clear. I will try to explain the problem as best I can:

    I have an old MacBook 2009 running Mountain Lion. A few months ago, my brother gave me his old Pro and so my MacBook 2009 fell by the wayside. I used an external hard drive with that old computer as my backup time machine, but as I tried to transfer a lot of documents and photos and update of dropbox and download photos of google and to understand each of these things as I went along, I totally messed up the MacBook. Just... things are weird... nothing was, where it used to be and my photos were gone and Yes, much of this is probably down to me trying to understand a bunch of new programs at once, BUT what I want to do is to restore it to the way it was using a time machine backup.

    So, I googled around and I know when I start it up until I'm supposed to press Ctrl + R and choose the backup that I want, but when it gets to the part where I select a destination and click the only option (the Mac HD), an error message appears with a yellow flag saying "this disc is not enough space to restore your system.

    Now, I don't really know what that means, but what I want to do is to get rid of the current way, this computer is completely and attach it to the way it was when I did the last Time Machine backup.

    Someone help me please... this stuff is so frustrating when I can't figure it out for me and I am sure that there is an easy solution. I read a lot about partitions etc. but I don't know what all of this means that even.

    Thank you in advance!

    Alexandria

    Boot into Recovery now command + R to start. Choose disk utility and erase the boot volume, it should be named Macintosh HD, unless you renamed it. When the erase is quit disk utility and choose to restore from your Time Machine backup. OS X: on OS X Recovery - Apple Support

  • I could do a system backup/restore through the eRecovery without any additional software utility?

    I have an Acer Aspire One 532 H Netbook. I could do a system backup/restore through the eRecovery without any extra utility of Windows 7 to Acer recovery? If I have such software, how can I get it? Because my netbook not came with any utility recovery/program when I bought it. Need to respond as soon as POSSIBLE, my netbook is dying with the longer startup time and more.

    Nice day

    You must back up your data to an external HARD disk, etc. To reload your factory machine, click Start, all programs, acer erecovery management, restoration and completely restore the factory settings.

    Kind regards

    FReeZA

  • change the backup/restore disc

    can I change this disk will my backup/restore point to? He uses my external drive now even if I didn't change it. I have a laptop & cannot bet that the external drive connects or is connected.

    HI RJHinSA,
    You can go there. This is guidance on how to change to the high places.
    If you need more information, simply open help, support and type "how to make the backup.
    Change when you save your files

    When you configure your computer to automatically back up files, you specify a location where the files will be stored. You can change this location if you run out of space in the current location or you want to change the type of storage location (for example, a DVD, a hard disk on your computer or a shared folder on another computer on a network).

    1. Click to open the backup center and restoration.

    2. Click on change settings.

    3. Click on modify backup settings and follow the steps in the wizard. If you are prompted for an administrator password or a confirmation, type the password or provide confirmation.

    Matt Hudson
    Microsoft Answers Support Engineer
    Visit our Microsoft answers feedback Forum and let us know what you think.

Maybe you are looking for