SSL VPN authentication using different sequences of identity Sources

Similar Questions

• SSL VPN authentication using the ad group

  Hi all

  I tried to restrict users to authenticate to the SSL VPN using an ad server. I have install the AAA server with the IP address of the AD server and attributed to the connection profile as well; However, I see that any user who is a member of a group in AD is able to authenticate.

  I want to only users who belong to the group "VPN users" get authenticated while everyone and all those who have credentials of the AD and not even a part of the 'VPN users' group is making authenticated.

  Can someone advice how I can make the ASA authenticate users based on ad groups? I use the ASDM to configure my VPN RA.

  Thanks in advance!

  Kind regards

  Riou

  Hey riri,.

  Try to use DAP to restrict access to users who belong to a specific ad group:

  https://supportforums.Cisco.com/document/7691/ASA-8X-dynamic-access-poli...

  Use the AAA attribute "LDAP .member of" to allow access to the users belonging to a specific group and deny access to other users.

  concerning

  Eric

• SSL VPN authentication using RADIUS

  I am running version ASA 8.4 (1) and anyconnect version 3.0.1047. My SSL VPN works great, but I encountered a problem with a user. his story did not work, and each time users had this message ""VPN server could not parse request '. "

  I found the problem after getting user information, which means that his user name and password. Had a password '&' as one of the special characters. When we change to something that isn't that it works very well.

  We use the NPS as RADIUS server. but when I run a test within the CLI, it works fine, only when anyconnect requests to authenticate, he fails.

  Someone at - it had the similar problem?

  Thank you

  Marcin,

  This could a re-appearance of:

  http://Tools.Cisco.com/support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsk14036

  Would you be able to test the workaround?

  Marcin

  EDIT

  Looks like this:

  http://Tools.Cisco.com/support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtn75204

• ASA 5520: SSL VPN by using a different IP address that the ASA public IP address

  Hi guys,.

  I'm trying to configure an SSL VPN on a Cisco ASA5520.

  Unfortunately port 443 interface OUTSIDE of the SAA is already used by Microsoft Outlook Web Access and I can not change the configuration of Outlook. This configuration already in place allows me to use the public IP address of the ASA as IP Cisco VPN for the Web page.

  I don't not want to use a different port so to keep life easy for users.

  I have a few available public IPs that I can use so I wanted to use one of them instead of the OUTSIDE of the ASA interface. Any idea how I could do?

  Thank you

  Dario

  Unfortunately you can not use any other public ip address, except the ASA outside IP interface to complete the SSL VPN.

  The only options that you have is to change the Outlook to use another port or the SSL VPN to use a different port.

• SSL mutual authentication using the Oracle stored procedure

  Hello
  
  DB version:
  Oracle Database 11 g Enterprise Edition Release 11.2.0.1.0 - 64 bit Production
  
  Is possible to perform mutual authentication SSL uses the Oracle stored procedure?
  I read articles and forums saying that it is not a good approach to call the Web service using the Oracle procedure (and I don't know if it's even possible authentication using procs). But I would like to know if it's possible and how.
  
  In other is words there a way to incorporate the client certificate information into a procedure that calls a Web service.
  
  I read the articles to do it in JAVA or .net. But please advice how we can achieve using Oracle procedures.
  
  Thank you.

  934451 wrote:

  Is possible to perform mutual authentication SSL uses the Oracle stored procedure?

  To learn more. SSL what for?

  Oracle PL/SQL only supports client standard TCP sockets. However, interface for HTTP, Oracle PL/SQL also supports HTTPS - which requires the certificates of authentication of the server to be stored in a portfolio of Oracle web and used during the transmission via HTTPS. See the code example {message identifier: = 1925297} for more details.

  I read articles and forums saying that it is not a good approach to call the Web service using the Oracle procedure (and I don't know if it's even possible authentication using procs).

  Forums and articles written by idiots. For idiots.

  And no, I'm not to embellish my response to this pitch that you met. It is false. It is written by ignorant people who don't know ANYTHING about the use of Oracle and PL/SQL. And feel free to forward my response to these idiots. They find me here if they want to argue...

  As an example of how to call a web service, see {message identifier: = 10158148} and {message: id = 10448611}.

• Use different 'fx-border-image-source"to the first tab and remaining tabs

  Hello
  
  I'm using something like this
  . Tab {}
  -fx-padding: 0px 5px - 2px 5px;
  0 0 0;
  -fx-background-color: transparent;
  -fx-text-fill: #c4d8de;
  -fx-border-image-source: url("images/tab5.png");
  -fx-border-image-slice: 20 20 20 20 fill;
  -fx-border-image-width: 20 20 20 20;
  -fx-border-image-repeat: stretch;
  -fx-font-size: 22px;
  }
  . Tab: selected {}
  -fx-border-image-source: url("images/tab-selected5.png");
  -fx-text-fill: #333333;
  /*
  -fx-background-color: red; * /
  }
  
  to customize the appearance of the tab of a TabPane.
  
  That has worked well. But I need to use a different set of images for just the first tab. Does anyone know how?
  
  Thank you.

  After you add the tab to a scene pane active, searching the first tab of the scene, it is id the first-tab value and style of the first tab via css.

  import javafx.application.Application;
  import javafx.scene.*;
  import javafx.scene.control.*;
  import javafx.scene.layout.*;
  import javafx.scene.paint.Color;
  import javafx.scene.shape.Rectangle;
  import javafx.stage.*;
  
  public class ThumbTabPane extends Application {
    public static void main(String[] args) { launch(args); }
    @Override public void start(Stage stage) {
      // create some tabs.
      TabPane tabPane = new TabPane();
      Tab tab1 = new Tab("Sites"); tab1.setContent(new Rectangle(400, 200, Color.LIGHTGREEN));
      Tab tab2 = new Tab("Favorites"); tab2.setContent(new Rectangle(400, 200, Color.LIGHTSTEELBLUE));
      Tab tab3 = new Tab("Loves"); tab3.setContent(new Rectangle(400, 200, Color.PINK));
      tabPane.getTabs().addAll(tab1, tab2, tab3);
      tabPane.setMaxSize(Region.USE_PREF_SIZE, Region.USE_PREF_SIZE);
  
      // layout the stage.
      StackPane layout = new StackPane();
      layout.getChildren().add(tabPane);
      layout.setStyle("-fx-background-color: cornsilk; -fx-padding: 10;");
      Scene scene = new Scene(layout);
      scene.getStylesheets().add(ThumbTabPane.class.getResource("stylishtabs.css").toExternalForm());
      stage.setScene(scene);
      stage.show();
  
      Node node = scene.getRoot().lookup(".tab");
      node.setId("first-tab");
    }
  }
  

  // file stylishtabs.css
  .tab {
    -fx-border-image-source: url("http://th33.photobucket.com/albums/d73/siewsammuk/th_icon_cool.gif");
    -fx-border-image-slice: 20 20 20 20 fill;
    -fx-border-image-width: 20 20 20 20;
    -fx-border-image-repeat: stretch;
  }
  .tab:selected { -fx-border-image-source: url("http://www.panic.com/blog/wp-content/themes/panic/images/icon_smile.png"); }  
  
  #first-tab.tab { -fx-border-image-source: url("http://roi.ltcdn.com/roidsn/en/main/icon_6.jpg"); }
  #first-tab.tab:selected { -fx-border-image-source: url("http://pensacolatodo.com/icon_images/icon_wordpress.gif"); }
  

• Classic question: SSL VPN Client and Vista 64 - bit OS

  Material: 64-bit software architecture: Windows Vista Home Cisco Hardware (64-bit): 871w router Cisco Software: base of 12.4 T having a challenge with Windows Vista (64) using the SSL VPN. Use of IE, I can navigate to the url, both using the DNS name and IP address. I do not have a signed certificate, so I get the standard warning screen where you will need to click on the red x to continue. At this point, the progress bar moves for a fraction of a second and it's there. For troubleshooting I tried: - clearing cookies, cache, etc. - add url and IP to the Zone of confidence - reset areas rest default - disabled options window popup and phisher IE7 - off all 3rd party Manager BHO - withdrawal of MacAfee software suite - disable User Control that allowed me to make the sign in page, but after the signature - I had a blank white screen. Then, I downloaded Firefox 3.0 (newer) and tried to connect. After a series of guests to accept and download the certificate, I was able to connect and click on the Start button to start the session. The next little screen came as expected and he chose Java. I received a message that it could not install the Cisco AnyConnect Client's and I had to download it manually. Downloaded and installed the client software. Logging out of the browser and its closure - I could not access the page again. It appeared to hang again with a progress bar. I went to empty cache, cookies, passwords etc in Firefox and reloaded the application. Still, I was able to connect. However, I always received the message that the customer could not install and download manually. For fun, I exported the certificate on the desktop and imported into Internet Explorer. I tried the connection with IE, but he had a similar problem. I was told there was no client IPSEC for OS 64 bit (Vista at startup), but most of the new machines are 64 - bit OS systems. I would appreciate any support. Lucky me, the computer to which it is impossible to connect to the VPN is the home of the CEO of the company. The last person that wants to make him miserable.

  Cisco AnyConnect VPN Client is now available for the Windows operating systems, which includes Vista 32 and 64 bit. The Cisco AnyConnect VPN Client, Version 2.2 supports SSL and DTLS. It does not support IPSec at the moment.

  See the url below for more information on troubleshooting anyconnect vpn client:

  http://www.Cisco.com/en/us/products/ps6120/products_tech_note09186a00809b4754.shtml

  See the following url for the release notes for the version of the client anyconnect vpn 2.2 for use with windows vista:

  http://www.Cisco.com/en/us/docs/security/vpn_client/AnyConnect/anyconnect22/release/notes/anyconnect22rn.html#wp815989

• DHCP relay for users (ASA) SSL VPN

  I have ASA 5520 vpn endpoint. Before asa, there are firewalls which translates the public ip address to the private sector and to pass SSL traffic to ASA. I have configured DHCP relay to get the IP address for the DHCP in Windows Server users:

  dhcprelay Server 10.100.2.101 on the inside

  dhcprelay activate vpn

  dhcprelay setroute vpn

  and it does not work. with the local pool, it works fine. Should I do something else? When I turn on debugging it has not any activity.

  You try to assign the IP address to the SSL vpn client using the DHCP server?

  If so, you don't need these commands contained in your message.

  Basically, you need to set dhcp server in tunnel-group and dhcp-network-scope in group policy.

  Here is an example of Ipsec client. Setup must be the same.

  http://www.Cisco.com/en/us/partner/products/ps6120/products_configuration_example09186a0080a66bc6.shtml

• ASA 5500 SSL VPN Failover license

  Hello

  I have a partner who request assistance with SSL VPN licenses on the ASA 5500 firewall sharing:

  His question is:

  Both SSL, provided with the firewall of the SAA, licenses can be shared across a couple active / standby?  I would therefore have a total of (4) licenses of SSL VPN to use?

  This would also be true for two security contexts that are included with the firewall?

  For example, I buy two base ASA 5520 firewall, running active / standby, that each machine is supplied with SSL VPN licenses (2) and (2) licensing of security contexts? In version 8.3, the licenses are cumulative by failover pairs, so I should a total SSL VPN (4) and (4) security contexts?

  Here is my response to his request:

  Based on this link (http://www.cisco.com/en/US/partner/docs/security/asa/asa83/license_standalone/license_management/license.html#wp1449664)

  It was mentioned that:

  "You can have one active license type, either the AnyConnect Essentials license or the AnyConnect Premium license. By default, the Adaptive security apparatus includes an AnyConnect Premium license for 2 sessions. If you install the AnyConnect Essentials license, it is used by default. See not anyconnect-essentials control or in ASDM Configuration > remote access VPN > network (Client) access > advanced > component AnyConnect Essentials to activate the Premium license instead. »

  It will be able to share the included license on the ASA 5500 4. It will be able to share these licenses, but I'm not sure the security context. My answer would be, it can use only 2 context Security licenses since only the VPN licenses are shared on the version 8.3 and other licenses not characteristic. My understanding is correct? or there are other explanations on my customer survey?

  Thanks in advance!

  Ice Flancia

  Cisco partner Helpline Tier 2 team

  Only from ASA 8.3 version and following, the license can be combined on a failover pair active / standby.

  2 SSL included license on SAA in failover pair is combined as 4 license SSL.

  2 license of background on ASA in failover pair is combined as license frame 4.

  Here's the URL on ASA combined license failover:

  http://www.Cisco.com/en/us/partner/docs/security/ASA/asa83/license_standalone/license_management/license.html#wp1450094

  Hope that helps.

• SSL VPN on license 1900 series

  Hello

  I bought a 1921-SEC-k9 so I installed the Security license:

  Technology for the Module package license information: "c1900".

  -----------------------------------------------------------------

  Technology-technology-package technology

  Course Type next reboot

  ------------------------------------------------------------------

  IPBase ipbasek9 ipbasek9 Permanent

  Security securityk9 Permanent securityk9

  given none none none

  Now, I would like to know if SSL VPN comes with this license or I have to buy an additional license of SSL VPN to use? If Yes... I had just use IPsec... I need to Setup client-to-site... can you point me to a tutorial or just a Basic... as for ipsec config, I just find tutorials from site to site on the internet.

  Hello Luka

  By this document, it will continue to work until a realod... If the router realods the function under the terms of evaluation license will stop working

  http://www.Cisco.com/en/us/prod/collateral/routers/ps10616/white_paper_c11_556985_ps10536_Products_White_Paper.html

  Harish.

• access of entrepreneurs and employees of the web site in-house using clientless ssl vpn.

  We have a layout of web SSL VPN without customer who allow employees and suppliers of connection and internal display web page.  I wonder if possible separate employees and contractors to access internal pages.  The internal web page has no authentication of users.  They would like to see if it is possible that traffic employees get proxy behind interface INSIDE IP de ASA and entrepreneur behind a different IP address proxy traffic.  Thus, the internal web page can check IP to contractor and only give them access to view certain web page, but not all pages.

  Hello

  Creating a group policy for each user group will be a good option, you can also use DAP to assign an ACL web to the user who logs on the portal without client, you can use the Radius, LDAP or Cisco attributes to associate the DAP for the user. For example, if you are using LDAP, you can create 2 groups separated here for employees and entrepreneurs and based on the LDAP user group membership, they will be assigned to specific web acl configured according to their access restrictions.

  You can follow this link to set up an acl of web:

  http://www.Cisco.com/c/en/us/TD/docs/security/ASA/asa83/asdm63/Configura...

  Once the ACL is ready, you can follow this guide to configure the DAP Protocol: "check the web for acls figure10.

  http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-NEX...

  Thank you, please note!

• Cisco ASA to make use of several CAs SSL VPN

  Hello

  I was wondering if it would be possible to set up authentication for different users who connect over ssl vpn based on the SAA for different certificate? An example would be the following:

  User A user of authority A certificate would (for non admin)

  User B would make use of certiifcate authority B (for administrators)

  I don't know that it is possible using a single certification authority; However not too course of multiple CA for the different vpn users.

  Thank you.

  Hi CSCO10675262

  Yes, this should be no problem. Simply create a for each CA trustpoint.

  HTH

  Herbert

• ASA SSL VPN with RSA authentication

  All those implemented SSL VPN on a device of the ASA using remote Securid tokens? The technical sheets indicate native RSA can be used for authentication, but this works with SSL VPN?

  Thank you

  Try this link

  http://www.Cisco.com/en/us/products/ps6120/prod_release_note09186a0080688004.html

• SSL VPN using MS CA

  I work on the AnyConnect SSL VPN deployment and seeks to secure the connection with a certificate that is NOT provided by the internal CA of the ASA or a 3rd party. What I would do, is our domain CA (MS) approve the certificate - in this way, all users of portable computers that connect to the VPN will accept the certificate without asking for confirmation.

  Is there any type of document from Cisco that describes this case? I looked at the Cisco configuration documents that show:
  -install manually 3rd party SSL VPN vendor certs (IE. VeriSign)

  -to obtain digital certificates for a MS CA ASA (it emits only IPSec certificates for users - the lancers ASA an error on the EKU without specifying the role of authentication server)

  -renew/install the certificate SSL with ADSM (applies only to the self-signed certificates)

  -examined the anyconnect Administrator's guide

  I found two similar positions in the community, but there is no answer from anyone whether or not this is possible.

  https://supportforums.Cisco.com/message/259286#259286

  https://supportforums.Cisco.com/message/1324901#1324901

  I would be grateful for any feedback. I may end up copying the certificate self-signed ASA on all laptops users VPN: S

  Greg

  You treat the SSL VPN as a web server... Create a 3rd party application signing, load it onto your MS CA and select Web server profile... You will need the CA cert so the cert of identification. You load the CA cert first then the cert of the identity.

  You then attach the cert to an interface.

  I did it on my internal interface so that the customization pages would stop sent me some errors in my browser... I went with a cert of public own party 3rd for the external interface given that I expect no area machines to connect and telling users how to install certificates is a pain.

• Authentication of the certificate SSL VPN

  Hello

  I change SSL VPN of aaa aaa authentication and CERT, Server 08 CA, 8.2 ASA 5510 ssl client 2.5.1025 and Windows 7 users. My question is what should be the model for the cert id I get from CA.

  Thank you

  Marie Laure

  You can use a web server for the certificate for the ASA model.

  Thank you

  Tarik Admani
  * Please note the useful messages *.