Profile AnyConnect, chicken or the egg situation
Last week I have been setting up an ASA5515x for the sole purpose of being our VPN concentrator. We do 2 factor auth with certificates and credentials of the AD.
For employees, we are launching company owned portable computers with installed device certificates.
For third party suppliers, we issue user certificates
The big problem, in that I am running is the first connection for employees. If they try to connect via Anyconnect, it returns a certificate error, and after clicking on OK, it is prompted to choose a VPN Alias. After selcting which, by clicking OK, the process repeats with the certificate error. If I change the VPN profile to use strictly AAA, they get invited to their powers AD and get connected very well. After that, I can't change the VPN profile in aid of certificates and AAA and the customer can connect perfectly well.
Thus, it seems that until Anyconnect downloads a profile that orders from the computer certificate store, Anyconnect look there. I got exactly the same problem when you configure the sellers. For sellers, it was solved by using IE to go to the web portal and connect it. Once connected the Anyconnect profile would download and it works perfectly after that.
Unfortunately the above does not work for employees whose certificates of the aircraft. When you try to connect to this VPN via IE group, I get a similar certificate error. I suspect it's because IE is not plunging into the Machine certificate store to present the certificate to the device on the web portal.
So now that I'm stuck with a chicken or the egg scenario, Anyconnect needs profile before it can connect, but it needs to connect to get the profile. I suppose we could e-mail the XML file with instructions on where to leave it fall, but would be hard to ask users to navigate through the folders hidden Windows.
Maybe I'm on what is obvious, but it looks like a poor design of Anyconnect when she no. saved PROFILE will not at least try all methods (Machine, user cert cert, etc.) to connect the first time.
Anyone has any ideas to fix this?
TIA,
Denny
Danny,
(in my not-so-recent experience with part CA VPN)
For employees, you can create a model of a situation that have the your 3rd parties.
That is a separate profile for the first launch (commissioning?) which will automatically start anyconnect by entering the credentials of the AD and download the profile.
All subsequent connections should work fine AC profile has been downloaded and done properly.
M.
Tags: Cisco Security
Similar Questions
-
Adobe Application Manager is corrupt and allows a reinstallation try Fail Adobe Acrobat Pro XI - try to install the new copy of the AAM fails because the AAM is missing according to dump record installation - how to fix this chicken in the egg problem?
06/04/16 16:23:29:507. [INFO] | | USS | PIM | PIM | | | 6256 | Build Version - 9.0.0.244
06/04/16 16:23:29:507. [INFO] | | USS | PIM | PIM | | | 6256 | Exploitation forest verbosity level set to 4
06/04/16 16:23:29:507. [INFO] | | USS | PIM | PIM | | | 6256 | CREATING Instance PIM...
06/04/16 16:23:29:507. [FATAL] | | USS | PIM | PIM | | | 6256 | Detected db journal file, Adobe Application Manager is in a State damaged to C:\Program Files (x 86) \Common Files\Adobe\OOBE\PDApp
06/04/16 16:23:29:507. [FATAL] | | USS | PIM | PIM | | | 6256 | Adobe Application Manager is needed to solve this problem. However, it is missing or damaged.
Download a new copy of Adobe Application Manager of http://www.Adobe.com ,
or re install this product.
06/04/16 16:23:29:507. [FATAL] | | USS | The installation program. The installation program. | | 6256 | Cannot create the PIM item
06/04/16 16:23:29:507. [INFO] | | USS | The installation program. | | | 6256 | Event generated Guid is: "986b04a2-3099-49fd-9067-df69c36ff2b2."
06/04/16 16:23:29:507. [INFO] | | USS | The installation program. | | | 6256 | Event generated Guid is: "e5f02581-649c-49ec-a265-800eeb5ad426."
Does anyone have an idea what to do? I use Windows 7 as operating system
Hi Ruedigerd91465945,
Well try download and install Adobe Application manager from here: Adobe - Adobe Application Manager: For Windows: Adobe Application Manager: thank you
Before installing kindly, restart the machine and then rename the folder in C:\Program Files (x 86) OOBE \Common Files\Adobe\OOBE\PDApp as OOBE_OLD
Let us know if that helps.
-
How do you check your first Blackberry application without being in the BA program?
I'm testing my VoIP application and it works very well on my 9000 "BOLD". I'm testing on several BB devices. Without being in the BA program, the only alternative is to test it on simulators. However, audio full duplex is not supported in the java virtual machine. Now I am at a loss. Is not in the BA program, I can't test my app on devices other than my "BOLD", and since I have not disclosed my application, I can't accumuate points enough to join the BA program. There is a catch 22 for me. How guys do when you first start?
I saw a number of developers post threads asking for Beta testers for application... here not so much.
BlackBerryForums.com and CrackBerry fairly often.
-
Which comes first, the chicken or the egg?
So I am new to Flex and I'm new to actual emissions, but I have experience in the design of the user interface. My question for you gurus Flex is all... because I'm starting a solo project, and I don't know if I should start preparing the application visually first and then add the underlying and Assembly, coding or it starts with the code piece by piece, then rework the layout to be attractive...
Thank you for your incredible support!
Rich
Short answer: first build the user interface.
Development has been traditionally the data upwards. Thus, the programmer would be take a look at what data was needed to collect, architect of the database, build the data access components, then the interface in addition to this. Build user interface came last and is often designed to accommodate the data. What I call the "bottom up" approach The problem is that, for most users, the user interface is the application. Is not giving them the opportunity to review the user interface until the last step can be tedious and costly changes.
A 'new' approach is to build the interface first, or a prototype of the interface. Let users play with her so that they are comfortable. In theory, they will easily spot something that prevents you from being productive with the program. User interface, you can then create your data access objects / layer of service and from there, create the database. In this approach, the data supports the UI, not the other way around. What I call the "top-down" approach
So, I would like to build the user interface first - especially since this is where your skill set lies - and then fill the rest of the application according to the needs of the user interface.
-
With the help of ASA as a tool for deployment of profile Anyconnect
I have a requirement to use a router ASR as a head of network clients Anyconnect IKEv2. I want to use the ASA firewall to allow users (multiple operating systems - Win/Mac/Linux) for ease of deployment, download their respective Anyconnect customers as well as the required profile to connect to the ASR. Note that the ASA is used only for AC and AC downloads profile, he participates in any VPN termination. Users will just point their browser to the ASA firewall web page and download the client from HQ and the profile, then they will launch the AC and connect to the router ASR.
My question is, is it possible?
Thank you!
I guess it should work even if I haven't tried it personally.
Note that above ' ASA shows a screen connection in the browser window, and if the user meets the logon and authentication. So you have an SSL connection without client on the ASA FRONT to take the step "downloads the client...". ».
You should be able, from here, download the client and profile and have the host of profile configuration to point to the address of the router ASR.
-
AnyConnect 3.1 - the certificate on the secure gateway is not valid
Hi guys,.
I have a problem with the Anyconnect 3.1.01065.
When I try to connect I get the "the certificate on the secure gateway is not valid. A VPN connection can be established.
The certificate is a signed cert self.
Woks AnyConnect 2.5 without problems.
Image of the ASA: 8.4 (2).
[27.11.2012 15:58:27] Ready to connect.
[27.11.2012 16:01:49] Contact IP_WAN.
[27.11.2012 16:01:52] Please enter your username and password.
[27.11.2012 16:02:01] User credentials entered.
[27.11.2012 16:02:02] Establish the VPN session...
[27.11.2012 16:02:03] Checking for updates to profile...
[27.11.2012 16:02:03] Checking for updates...
[27.11.2012 16:02:03] Checking for updates of customization...
[27.11.2012 16:02:03] Execution of required updates...
[27.11.2012 16:02:08] Establish the VPN session...
[27.11.2012 16:02:08] Setting up VPN - initiate the connection...
[27.11.2012 16:02:09] Disconnection in progress, please wait...
[27.11.2012 16:02:13] Connection attempt failed.
Anyone had this problem before?
Thank you very much.
Hello Cristian,
Please see this:
CSCua89091 Details of bug
the local certification authority must support the EKU and other necessary attributes
Symptom:
The local CA on the ASA server currently does not support attributes like the EKU. This enhancement request is to add support for this. Workaround:
Configure the cert on the customer's profilehttp://Tools.Cisco.com/support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId= CSCua89091
And the following:
DOC: Anyconnect supports Extended Key use specific attributes in CERT
Symptom:
When using certificates with the anyconnect client if the certificate is installed on the SAA does not have the EKU attribute set to "Server authentication", then the anyconnect client will reject the ASA certificate as invalid. The certificate of the client id must also be '-l' client authentication "otherwise the ASA he will reject... Conditionsof :
Use a certificate of id on the ASA with one other than «authentication server» EKU
Use a certificate of id on the client that has one another EKU that '-l' client authentication.Workaround solution:
Generate a new certificate of ID with correct extended key usagehttp://Tools.Cisco.com/support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId= CSCty61472
If at this point, you need to set up the corresponding certificate or use an earlier version of the AnyConnect client.
HTH.
Please note all useful posts
-
I did a tuneup Firefox, where my profile is stored before the tuneup?
I tried to do a tuneup Firefox because I had problems with freezes and crashes. Once the process is complete, asked me to choose a profile before restarting Firefox. The choice is a list of numbers, so I had no idea who was my current profile. Of course, I chose the one bad because all my favorites, history, etc. is not here, so I guess it must have been in one of the other choices of profile. How to make where I can choose a different profile to open it.
You can change the default Firefox profile using the Firefox profile manager. Try the different profiles on your system to see which, if only the profile you want. You can then specify the Profile Manager to use this default profile.
For more information about using the Profile Manager, please refer to this Mozilla support article:
Is that what you are looking for? Let us know.
Note: The Profile Manager can be used to remove Firefox profiles. However, I do not recommend that you remove all profiles before you locate your desired profile as you can accidentally delete the work profile.
-
'create file user.js in profile directory' to add the user prefs to enable Mozilla Rich Text editing
The message of ff for me, is "to protect users information, unprivileged scripts cannot invoke the commands cut, copy, and paste in the Mozilla rich text editor... to activate these features, you must change your browser preferences... "This is an online course. In discussion forums and editing my post for answers - when you slide on a sentence, then rt clk for copy/cut/paste edit options - this is when I get the message to follow the instructions to create a user.js file in my profiles. I followed the instructions to "Change preferences in Firefox" to create a user.js file (didn't have any) to add the features described and specific for this site (which is an .edu site). Since had a "user.js" file open in a text editor to create one I RT. CLK, given 3 options of text document type, choose 'doc RTF' typed then required lines of preference user, saved as .rtf, ff, closed, reopened, returned on the forums of the school, tried the same editing options, but got the same answer. After leaving completely, returning my profile the user.js file, I thought I did wasn't there. I scrolled a lot a lot of useful articles, comments etc here, but nothing specific to this type of file in the profiles? In these instructions, step 3 "open file user.js from this directory in a text editor. "If there is no user.js file, create a. That's what I have to do. Then I'll be ready for the step 4 yay! Thank you.
As soon as you click on the selected text, the site displays a message about changing the settings of your?
On this site, you can use the standard Windows keyboard shortcuts for cut, copy and paste: Ctrl + x, Ctrl + c, Ctrl + v?
If so, I suggest to do this.
Alternatively, you can the websites stops to replace the context menu showing always menu of Firefox. This can be a bit annoying on certain cases, such as Google Maps, where menu Firefox allows you to hide menu Google. When this happens, you can usually press ESC to remove the Firefox menu and use the site menu. If you want to change this, here's how:
(1) in a new tab, type or paste Subject: config in the address bar and press ENTER. Click on the button promising to be careful.
(2) in the search above the list box, type or paste the context and make a pause so that the list is filtered
(3) double-click the preference dom.event.contextmenu.enabled from true to false.
-
Profile of helmet in the Toshiba Bluetooth stack?
Hello.
While trying to connect my headset Motorola HS820 Blutooth on my laptop Toshiba Tecra M1, the laptop will only recognize the "Serial Port profile" headset and not the "Headset Profile.
I'm under that Windows XP with the newest Toshiba Bluetooth Stack installed (bltstk-s-p20-30012-.zip)
'Toshiba Blutooth utility Guide' don't mention that not the profile "headset" as one of the profiles taken in charge.
Does anyone know if the headset profile is supported or if the Bluetooth Audio devices will be supported in the future?
Is there a new stack of Blutooth? Where can I get?
Thank you.
Best regards
Rui Cunha.Hello Rui
Unfortunately I can't give you a good answer, but you can consult the website of Toshiba Bluetooth under http://aps.toshiba-tro.de/bluetooth/.
Also check this http://aps.toshiba-tro.de/bluetooth/pages/faq/headsetnotworking.html.Good bye
-
Deleting a user profile also deletes copying the files of main profile?
I created a new profile for admin because I think that my current profile is messed up (don't click Start or taskbar unless I have close explorer.exe and run it again) and I started to copy files from my main profile to the new. I had a blond moment, not realizing I was just duplicate the files on my hard drive and I don't have a lot of space to work, so I stopped.
Should I manually delete all the files copied or simply remove the 2nd user profile and will remove the files copied too? (only not by deleting the original on my main profile)
Thank you.
Hey Nate,
You can try to remove the new user profile and check. During the withdrawal of the profile, you will get an option to remove the files included in the profile. You can check the possibility to delete the files and see if it helps.
-
I can't connect to my user profile who is also the administrator. I get a message that the password is incorrect, however I have not changed the password. My 11 year old niece used the pc last (play online games) and I was informed that it was a download/installation, but do not now what it was. I can't download or update any information on the pc that this requires the admin password. I am currently using the guest account, that does not give me access to all programs and the pc is running a little slower than ususal. Your help with this questions is appreciated.
the operating system is Windows Vista Home Basic 32-bit.
Hello
If your niece has changed the password, or you have a corrupted system, this Information Microsoft will help you.
Here are the different circumstances where it can help you.
You will need to borrow a Microsoft DVD from a friend, Recovery DVD a manufacturer without these special work options available.
If you are unable to connect to Windows 7 or Windows Vista, you can use the Windows Vista System Restore feature, or the Windows 7 system restore feature.
You may be unable to connect to Windows Vista or Windows 7 in the following scenarios:- Scenario 1: You recently set a new password for the protected administrator account. However, you don't remember the password.
- Scenario 2: You type the correct password. However, Windows Vista or Windows 7 does not accept the password because the system is damaged.
- Scenario 3: You delete a protected administrator account. Now, you cannot connect to another administrator account.
- Scenario 4: You change an administrator account protected with a standard user account. Now, you cannot connect to another administrator account.
And as you say that your niece may have downloaded something, that something could have been malicious, that can cause problems with password.
Download, updatre and scan your system with Malwarebytes AntiMalware in Mode safe mode with networking:
http://www.Malwarebytes.org/products/malwarebytes_free
And here's how to go in Safe Mode options; Select safe mode with networking from the list of options:
http://Windows.Microsoft.com/en-us/Windows-Vista/start-your-computer-in-safe-mode
See you soon.
-
I can't connect to my user profile. I am the administrator and cannot connect
original title: problems with user profile
I can't connect to my user profile. I am the administrator and can not connect at all. password has not been changed.
I can't connect to my user profile. I am the administrator and can not connect at all. password has not been changed.
What is the FULL error message?
This one? .... Cannot load the user profile and the user profile service does not log
If Yes, read on...
You have another admin account , you can connect?
If so, please do and do a system restore, if no help, run the Microsoft Support tutorial below.If you don't have another admin account, go into safe mode.
Here's how to get safe mode:
Shut down your computer > turn it back on and immediately and repeatedly tab key F8 until you see a black and white screen. The top/down arrow and selectSafe Mode with network.In the window of logon in safe mode...
1 can connect to your account administrator in safe mode?
If so, do a restore system first, if no help, run the Microsoft tutorial support listed below.2. If you can't log into your own account, you see another admin next to your account in the logon screen?
If you do, that one is the built-in Administrator account. By default, there is no password. Connect to it and new do a first system restore, if not help, run the Microsoft tutorial support listed below.If you are able to log on in safe mode, do a system restore. Choose a date when you were able to log in NORMAL MODE as your restore point.
How to do system restore: http://www.vistax64.com/tutorials/76905-system-restore-how.htmlTutorial from Microsoft support :
http://support.Microsoft.com/kb/947215
There are several methods,go through one by one.
Method 3 has a "fix it for me" application
For the benefits of others looking for answers, please mark as answer suggestion if it solves your problem. -
User profile: unable to load the window on my user profile
window cannot load on my user profile
· Restore point:
Try typing F8 at startup and in the list of Boot selections, select Mode safe using ARROW top to go there > and then press ENTER.
Try a restore of the system once, to choose a Restore Point prior to your problem...
Click Start > programs > Accessories > system tools > system restore > choose another time > next > etc.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~If the above does not work:
See if the information in the above tutorial will help you.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://windowshelp.Microsoft.com/Windows/en-AU/help/769495bf-035C-4764-A538-c9b05c22001e1033.mspx
Difficulty of a corrupted user profile
After creating the profile, you can copy the files from the existing profile. You must have at least three user accounts on the computer to perform these operations, including the new account that you created.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://support.Microsoft.com/kb/947242
A temporary profile is loaded after you connect to a Windows Vista-based system
See you soon.
Mick Murphy - Microsoft partner
-
user profile service does not the logon, user profile cannot be loaded
I can't login under my user profile. It's the administrator user. I can log in as another user, but can't access my files. Someone who has had this problem and found a solution, please let me know how they did it? I read through many answers and don't know which way to go.
· Restore point:
Try typing F8 at startup and in the list of Boot selections, select Mode safe using ARROW top to go there > and then press ENTER.
Try a restore of the system once, to choose a Restore Point prior to your problem...
Click Start > programs > Accessories > system tools > system restore > choose another time > next > etc.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~If the above does not work:
See if the information in the above tutorial will help you.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://windowshelp.Microsoft.com/Windows/en-AU/help/769495bf-035C-4764-A538-c9b05c22001e1033.mspx
Difficulty of a corrupted user profile
After creating the profile, you can copy the files from the existing profile. You must have at least three user accounts on the computer to perform these operations, including the new account that you created.
See you soon.
Mick Murphy - Microsoft partner
-
Cisco ASA 5510 - restrictions of VPN (AnyConnect) based on the AD user or IP address
Hello
I want to test how to restrict access user on an ASA 5510 AnyConnect. In politics, I can define what networks will go through the VPN tunnel and which not (split tunneling). The ASA has a LDAP connection and only AD users with a special security group can connect over AnyConnect.
On the other hand I would like to restrict access for special users within a VPN policy.So my question:
What are your recommendations to implement this szenario?My two ideas would be:
1. the access rules based on the user of the AD.
2. special reserve IP addresses in the pool of addresses AnyConnect for some users, so I can limit access to the normal firewall rules base based on the source IP address.What are your recommendations and is it possible to realize my ideas (and how)?
Thanks in advance
Best regards
Hello
I will suggest that you configure a second ad group in the server and another group strategy in the ASA, you can configure certain access on each group policy "the installer of the filters, assign different split political tunnel, different ACL' and in the ad server, you can assign users for example to the AD Group A and AD Group B based on the access you want to give them now , you must configure LDAP mapping to assign the user specific group policy that you want based on the AD group that they belong.
You can follow this documentation that will help you configure the LDAP Mapping:
http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-NEX...
Best regards, please rate.
Maybe you are looking for
-
Satellite A215-S4747 (internal and external) microphone does not work
Hello I write about my wife by Satellite A215-S4747 running Windows XP.A few months ago as the built-in microphone and external microphone has stopped working. This made me think it was a driver problem, although no issue inControl Panel > sounds and
-
"How to remove the files of SATA internal drive APPLE HDD HTS547550A9E384 physical medium.
I have a MacBookPro9 2, Intel core i5 Runing El Capitan OS X 10.11.2 My (500.11 GB SATA internal physical disk) "APPLE HDD Media HTS547550A9E384" is completely full and I need to make room. Can I delete or move files on my external hard drive of my M
-
E - aio HP Office Jet Pro 6830: HP office jet pro 6830 e - aio printer offline
After reset the printer finally save it finally worked last night and now I am trying to print a document to my insurance and it keeps saying printer offline. In my remote control panel and the list of printers, I have HP OfficeJet Pro 6830 (network)
-
Movie Maker: Does not work! A similar program: will not play!
Greetings from Microsoft professionals! So I just got me a new computer HP desktop with XP and everything works fantastic with the exception of Windows Movie Maker. I use it on a regualr basis to create 2d animation frame-by-frame and it is important
-
Hello I have some bad problems with my sansa fuze This is the second, which is not verry good work (the first hatd a big issue too... when I pressed everything anything the screen is down) now my rocket often gets frozen... First it was al ready, so