DMVPN based on certificates

Similar Questions

• AnyConnect: User based authentication certificate filtering Configuration

  Hello colleagues in the network.

  recently I needed to configure AnyConnect SSL VPN with certificate authentication to meet the needs of connection at the request of the features of Cisco Jabber.

  Everything is ok, but I need to filter users based on their personal certificate information. For example - all those who have a personal certificate from our CA can now access this VPN. I want to set the users by e-mail of the certificate and only these users are granted access.

  I used this command:

  WebVPN

  allow outside

  AnyConnect image disk0:/anyconnect-win-3.1.04072-k9.pkg 1

  AnyConnect enable

  tunnel-group-list activate

  Certificate-Group-map Cert - filter 10 company-Jabber

  map of encryption ca Cert certificate - filter 10

  name of the object attr eq ea [email protected] / * /

  The problem is that I have to go can visit his profile - if I change [email protected] / * / to

  On the AnyConnect client - I connect to the GroupURL of the connection profile Company-Jabber

  Hi Alexandre

  There are several ways to approach this and this depends somewhat on the rest of the config, for example if you have other groups of tunnel etc..

  I guess the easiest way (if it does not interfere with the rest of your configuration) is to add something like this:

  crypto ca certificate map Cert-Filter 65535 subject-name ne ""

  This would attract all users/certificates does not not from your previous rules.

  Under webvpn you map these users to another tunnel-group (connection profile):

  certificate-group-map Cert-Filter 65535 NoAccess

  And configure the NoAccess group so that access is denied (for example, by setting simultaneous connections to 0 in the corresponding Group Policy).

  Other means would be to use DAP (dynamic access policies) to pretty much the same as the certmap, or permission to LDAP (for example retrieves the user name for the certificate, then perform an LDAP search to see if the user is allowed to use the VPN - in this scenario, there is no need to list all the users on the ASA but for example you need to create a new group on your LDAP server that contains all VPN users).

  Let me know if you want to go further in the foregoing

  see you soon

  Herbert

• ISE-based certificate authentication

  Hello

  I am developing an understanding of certificate based authentication using EAP - TLS on the ISE. My question is do we really certificate authentication profile (CAP) even if it is enough just to perform certificate-based authentication and we don't are not interested in setting up authorization rules based on which field of the certificate was specified as username in the CAP. I'm asking this because I think that probably in certificate based authentication, ISE has just need to check the validity of the certificate and if it was signed by a certification authority that it can check by looking in the certificate store. Please let me know if I have the wrong concept.

  I am curious to know what the whole purpose of CAP? I read in a book that:

  To validate the identity ISE must ensure that the credentials are valid. In the case of authentication based on certificates, it must determine if:

  The digital certificate was issued and signed by a certification authority (CA).

  The certificate has expired (check the dates of the beginning and end).

  The certificate has been revoked.

  The customer has provided evidence of possession.

  This certificate has the correct use of the key, the critical extensions and extended values present key usage.

  So in above listed points where is used specifically for CAP?

  Thank you for taking the time to answer.

  Kind regards

  Quesnel

  Hi, Quesnel, I'll try to answer your points as best I know :)

  #1) I don't really know what the mechanics of ISE are when it comes to the CAP. It is however a snip-it of the Cisco Design Guide:

  S certificate of authentication profiles (CAP) are used in the rules of authentication for authentication based on certificates. The CAP sets certain attributes in the certificate to find out & use as a source of additional identity. For example, if the username is in the CN = field of the certificate, you can create a COURSE that examines the CN = field. Then these data can be used and verified against other sources of identity, such as Active Directory

  http://www.Cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_60_byod_certificates.PDF

  (#2), you should be able to set a COURSE and use it as a storage of identity without the need to put in a sequence. I've done several times and just re - confirm is it possible in my lab. Please check again :)

  (#3) une sequence of identity store lets examine you more than one identity store. In addition, it defines defines the order in which the Sources of identity are questioned. Once a match is found, the process stops and the information returned to ISE.

  Thank you for evaluating useful messages!

• DMVPN with digital ceritificates and Hub acts as a CA server

  Hello guys,.

  is there anyway to configure the DMVPN with digital certificates and change the router Hub to act as a CA server?

  Thank you

  Yes, you can do it, go ahead and set up your router, Hub, with the normal DMVPN configuration so that it becomes the hub. After doing that follow the link below to add public key infrastructure server features:

  http://www.Cisco.com/en/us/docs/iOS/12_3t/12_3t4/feature/guide/gt_ioscs.html

  And to register for the rays on the hub, use this link:

  http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a0080210cdc.shtml

  Remember that regardless of the router Hub being the authority of CA, you must sign up for itself to allow the IKE PKI authentication.

• Certificate PRSM

  Hello

  I need to put a certificate on my virtual device PRSM and I can work on how do cert must be my existing service PKI certificate Microsoft deployment.

  The only options I get are (on the administration > server certificates page)

  Browse certificate (PEM format only)

  Browse key (PEM format only)

  I know what means PEM format, I can generate a web server of service cert certificate, but a key? Has anyone actually done this?

  Kind regards

  Pete

  Pete,

  You should only use openssl to generate the key and CSR. It is only since that Cisco has not built this capability in PRSM itself (beyond, the cert self-signed using a self-generated key creates automatically using Linux (and I guess than openssl) under the covers that you do not have shell access). Then they force you to use openssl on another host.

  Your choice (CA) certification authority would be when even issue the certificate. This is the case, either internal Microsoft AD-based PKI Certificate Services a customer or a public CA like Thawte, GoDaddy, Verisign, Entrust etc.

  If you do this, then you can decrypt the traffic for the purpose of inspection, I hope you boxes of size accordingly. You will take a big performance hit in doing so. I haven't seen the reference numbers but have heard stories that he is important.

• Signature with certificates usin an iPad.

  My company uses Adobe Reader XI and individuals sign a PDF file by using certificates. I have a user who needs to be able to sign with certificates using an iPad. What software for iPad would sign with certificates?

  Hello

  Based on certificates of signatures are supported in the desktop version of Adobe Acrobat Pro, Standard and Reader only.

  Sorry for the inconvenience.

• I can't check the updates with Windows 7 computer

  I have a Windows 7 laptop.  When I check the updates, I get error code 80072F8F.  No matter what I do to update the date and time, it may not always check the updates.  The last successful update was on September 19.  I tried to ask a person to Microsoft through online help.  She had me try all sorts of things during the past month without result.  Finally, she transferred my problem to his supervisor, who told me that I had to completely reinstall Windows.  I don't have a disc of Windows 7 because it is preinstalled on my laptop.  She then told me that she would transfer my problem to a COMPUTER technician who would call me.  No one has called.  I have sent to let her know I had not heard anything, and in response I received an automated email stating that my problem has been resolved and that my case has been closed.  Someone please help! My computer has not had an update for 3 months!

  This isn't the problem, as I said in my question above.  It has nothing to do with the date or time.

  I just found an answer, tried and it works!

  Here it is:

  MikeGrimes 2Already voté

  PLEASE NOTE: The following instructions are specifically for ESET Smart Security or NOD32, however, I suspect other programs where content filtering of the SSL connections may cause this problem too.

  You run ESET/NOD32 Antivirus? If Yes and you have active SSL protocol filtering you add an exception

  (1) open the main window of ESET by clicking the ESET icon next to the clock system or by clicking Start > all programs > ESET > ESET Smart Security or ESET NOD32 Antivirus.

  2) press F5 on your keyboard to open the advanced configuration window.

  3) navigate to Antivirus and antispyware > protocol filtering > SSL. Click on "ask on sites not visited (exclusions can be set). Click OK.

  (4) check the Windows updates

  (5) a pop - up of ESET will inform you about an attempt to communicate over SSL. Click on exclude.

  (6) that excludes the verification by ESET update Windows. Exclusions are kept in the Antivirus and antispyware > protocol filtering > SSL > Certificates > excluded certificates.

  (7) to navigate back to the Antivirus and Antispyware > protocol filtering > SSL. Restore the SSL filtering to your previous setting mode, that is to select the option "Always scan SSL protocol".

  (8) check the option ' apply created exceptions based on certificates "is selected. Click Ok to close the advanced settings window.

  Alternatively, you can simply disable SSL filtering in step 3.

• Aironet 1130AG and 802. 1 x

  Can someone help me with the configuration for authentication of 802 sources. 1 x Aironet 1130AG?

  I want to configure authentication for 802. 1 x based on certificates from the machine (Windows XP and 7), is it possible?

  The access point runs in stand-alone mode and the radius server is a 4.2 ACS.

  Thank you!

  OK, that's EAP - TLS... BTW, that is the most involved EAP and requires special attention to detail. You will need a server radius between the certificates. I might suggest, you do your work at home first before jumping right into configs.

  Here are links to help you get started:

  http://www.Cisco.com/en/us/Tech/tk722/tk809/technologies_white_paper09186a008009256b.shtml

  http://www.Cisco.com/en/us/products/ps6366/products_configuration_example09186a00807917a6.shtml

  __________________________________________________________________________________________
  "Satisfaction does not come to know the solution, it is to know why." - Rosalind Franklin

• How can my user password - protect a document that has been digitally signed?

  Hello

  I've seen a few threads that indirectly address some parts of this question, but always find myself not sure about whether this process can be done - and if it is possible, I could use your help to understand - thank you.

  Two of our end users use digital signatures (based on certificates) in Acrobat 9 Pro to sign documents attesting the status of precision & calibration of equipment of laboratory for use in a legal environment.  These end users are concerned that their documents could be amended or edited and asked me if password can also be applied to the documents that must be digitally signed.

  Thanks in advance for your advice.

  Do you apply 'Open' password password "Permissions" or both? If you apply 'Permissions' password (with or without the 'Open' password) of course I "Edit" include filling in form fields and signing existing signature fields"or" commenting on, fill in the form fields and signing existing signature fields. If the permissions do not allow you to connect, you are unable to sign.

  Be aware of the alert that Acrobat appears when you apply the password "Permissions" that all Adobe products meet the permissions that you set, but this 3rd party PDF viewers may not (and many do not).

• How to reset my signature preferences?

  I used to have a picture of my handwritten signature that I could download and place it in a PDF file, then I have updated the drive because he asked for me to create a new signature and I clicked on a few bad things, and it brings me to create a signature based electronic certificate. I can not figure out how to remove this element or change my default to a signature based on image (my writing) - Please can someone guide me through this process? Thank you very much!

  Hello

  In order to change the default signature, you must first clear the stored signature. Please refer to the image below: -.

  

  Once you disable the signature stored, you can download your image saved as the default signature.

  Kind regards

  Mohamed

• How to make an electronic digital signature?

  How to create an electronic digital signature?

  @

  If you want to create a digital signature based on certificates, you start to get a digital certificate. If you want to take advantage of the feature complete of digital signatures and then you get a reputable certification authority certificate. If you only want to ensure the integrity of the documents, you can create a certificate self-signed in Acrobat Pro. When you have a certificate add you it to the Acrobat digital IDs. After that you can start to sign your PDF documents using this certificate. In Acrobat XI go you to sign-> work with certificates-> sign the Document. Since version 11.0.7 that adobe Reader can also sign. Earlier versions of Reader requires that PDF is already ready to be signed by its author: includes fields from signature signed and is Reader extended for the signature.

  Make sure that when you get a certificate which is encrypted password, do you remember the password you may need several times.

• How does * (certificate-based authentication) work?

  How does * (certificate-based authentication) work?

  We do * in a company whose phones android and exchange 2010.

  We use the activesync to talk to Exchange via the SSL protocol.

  It works.

  I am documenting HOW it works (on a rather high level).

  I have some information, but would like to know what happens when exchange Gets the customer real auth cert of the device in the last part of the authentication process.

  Exchanges with impatience in its entirety to RFA, since AD (or its related PKI service) created the cert?

  Thank you.

  Mac

  This issue is beyond the scope of this site and must be placed on Technet or MSDN

  http://social.technet.Microsoft.com/forums/en-us/home

  http://social.msdn.Microsoft.com/forums/en-us/home

• Certificate based with chaining of EAP authentication

  Hello world

  My question is about EAP - TLS and EAP chaining. I know that EAP - TLS is used for certificate based authentication. I think using EAP chaining which employees computer and user authentication. So if you use EAP - TLS with chaining EAP, this would mean that ISE will validate the computer certificate and user certificate? I do not know if there is something called user certificate. Not a guy from Microsoft.

  My second question is that it is a way we could use the certificate and the name of user and password for authentication at the same time?

  I would strongly appreciate an explanation or a reference document which could help to clarify my concept on this subject.

  Thank you

  Quesnel

  Yes, with EAP-chaining, you can make user and computer certificate authentication at the same time.

  Yes, you can also use EAP - TLS and PEAP/MSCHAPv2 authentication even in, what's special on EAP-chaining, and therefore requires anyconnect nam. When you set your anyconnect configuration, you will be asked if you wan't do user, computer, or user and machine authentication, and you will get two separate configuration settings, one for the user and the other for the machine and you can select any EAP method in those, they are not the same.

  http://www.Cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-...

• ACS 5.3 certificate based access to the network by using AD

  Hello

  Is that what someone has implemented certificate based 802. 1 x network access using ACS5.3 & identity authentication outdoor store like AD.

  If yes then please let me know as soon as possible.

  Ajay

  When you use EAP - TLS AD may come into play in one of two ways

  -There is an option to perform a binary comparison on the certificate of the client against a stored in AD (or LDAP)

  -It is possible to retrieve ad for the user groups and use this in authorzation

  Configuration for this is done as follows:

  (1) establish a profile of certificate authentication:

  Users and identity stores > profile of certificate authentication

  In the profile to define the "main Username attribute" - attribute that identifies the user

  Can optionally select "Perform with certificate certificate binary comparison comes from LDAP or Active Directory"

  (2) if want to do authorization based on groups of ads, then need to create a sequence identity

  Users and identity stores > sequence identity store

  In 'List of authentication method' select 'Certificate based' and select the profile of step 1

  In "Attribute retrieval research additional list", select Active Directory in the list of selected stores

  (3) select the sequence of the identity as the result of identity politics. For example, for the strategy set by default:

  Access policies > access > by default access to network > identity

• Certificate, using ISE-based authentication

  Hello

  Can someone send me the link sur-comment to do to set up certificate authentication based Micrsoft Client using ISE as the AAA/RADIUS server.

  Thank you

  Hi Imran,

  If I understand well, then you need this attached document:

  It will be useful.

  Concerning