What's New Today's Posts Forum Actions Mark Forums Read Advanced Search Forum Cisco CCNA / CCENT CISCO ASA and AnyConnect certificates + Reply to Thread Results 1 to 9 of 9 Thread: CISCO ASA and AnyConnect certificates Thread Tools Show Printable Version Subscribe to this Thread… Magic Johnson 
Results 1 to 9 of 9 Thread: CISCO ASA and AnyConnect certificates Thread Tools Show Printable Version Subscribe to this Thread… Magic Johnson 
Member 
Join Date Aug 2013 Location Scotland Posts 75 12-02-2013 10:53 AM #1 
CISCO ASA and AnyConnect certificates We have a 'managed' firewall hosted by a major ISP (though you really wouldn't think it). We have access to it via ASDM to control our own VPN certificates and users. It is a 5510.
We basically manage one thing; the Local Certificate Authority. We add users, remove users and issue one time passwords for certificates. These are acquired via the AnyConnect which prompts you to get one and supply the details. Once done, you install the certificate and boom, vpn worky.
Now it has been almost a year since we deployed this, and certs are starting to expire, prompting users for a new one-time password to get a new certificate. I am having to do this manually, and have asked the ISP if there is any way this can be done, sort of like an auto-renewal. They've categorically said NO.
Please tell me this isn't so. The only way around this as far as I can see is to make the expiry days something huge, which can't be good for security.
I am not even sure the VPN configuration is correct either, however it works so I'm guessing it must be.
Anybody in the know with this sort of thing? Thanking ya.
Quote Login/register to remove this advertisement. rowelld
Coffee Addict Join Date Oct 2005 Location San Diego Posts 92 Certifications CCNA Security, CCNA, A+, Network+ 12-02-2013 05:43 PM #2
You'll need to generate a new CSR on the ASA to be used to acquire a new certificate. Once you get the new certificate you will add it as a new identify. You can then update VPN to use the new identify.
What version is the ASA running?
ASA 8.x Manually Install 3rd Party Vendor Certificates for use with WebVPN Configuration Example* [Cisco ASA 5500-X Series Next-Generation Firewalls] - Cisco Systems
Visit my blog: http://rowell.dionicio.net - Member of Cisco Champions
Current goals [ ] CCNP SWITCH [ ] ROUTE [ ] TSHOOT
Quote Magic Johnson Member Join Date Aug 2013 Location Scotland Posts 75 12-02-2013 06:01 PM #3 CSR?
8.2(5)
So it is possible then? I read the article but its a bit over my head!
Last edited by networker050184; 12-02-2013 at 06:06 PM.
Quote colemic Senior Member 
Join Date Apr 2010 Location Tejas, Baby! Posts 712 Certifications CISSP, CISA, GIAC 2700, MCSE:Security, CEH, CHFI, CCENT, Sec+, Net+, ITIL v3 Foundations 12-02-2013 06:45 PM #4
I am glad we don't use those certificates on our AnyConnect. Just getting the damn thing to work right is hard enough. (mainly trying to implement restrictions, such as a certain background or current AV. When we turn those on, they fail security checks no matter what.)
Quote Magic Johnson Member Join Date Aug 2013 Location Scotland Posts 75 12-02-2013 06:49 PM #5 Originally Posted by colemic
I am glad we don't use those certificates on our AnyConnect. Just getting the damn thing to work right is hard enough. (mainly trying to implement restrictions, such as a certain background or current AV. When we turn those on, they fail security checks no matter what.) How do you do it mate?
Quote colemic Senior Member Join Date Apr 2010 Location Tejas, Baby! Posts 712 Certifications CISSP, CISA, GIAC 2700, MCSE:Security, CEH, CHFI, CCENT, Sec+, Net+, ITIL v3 Foundations 12-03-2013 04:01 PM #6
Not sure what you mean - how do we do what? Implement restrictions? For that, we have Dynamic Access Policies... we has one for iPads, we put the UDID in, it works great. Until we add a rule for a desktop background or AV w/ current definitions, then it gets access denied. I can't figure out how to tell AnyConnect to differentiate between devices - that THIS rule (background) doesn't apply to THIS device (iPad), and vice versa... and anytime I have a rule for AV or background, it fails on a laptop no matter what.
Quote Magic Johnson Member Join Date Aug 2013 Location Scotland Posts 75 Yesterday 10:30 AM #7
Quote colemic Senior Member Join Date Apr 2010 Location Tejas, Baby! Posts 712 Certifications CISSP, CISA, GIAC 2700, MCSE:Security, CEH, CHFI, CCENT, Sec+, Net+, ITIL v3 Foundations Yesterday 02:59 PM #8
My bad.
Quote Magic Johnson Member Join Date Aug 2013 Location Scotland Posts 75 Yesterday 03:41 PM #9
Also funnily enough, our ISP has now come back and said that auto-renewal of certificates IS possible, but I don't know what to believe any more!!
Quote + Reply to Thread « Previous Thread|Next Thread » Social Networking & Bookmarks Bookmarks
Digg 
del.icio.us 
StumbleUpon 
Google Tweet CompTIA Cisco Microsoft CWNP InfoSec Practice Exams Forums Blogs 
Subnet Calculator Netpict Online Degrees Exam Vouchers Free Magazines Topsites
Home Forum Rules Contact UsSupport Us Archive Privacy Statement Top TechExams.net ? 2002 - 2013 - All times are GMT. The time now is 06:52 AM. - CSS version TechExams.Net is not sponsored by, endorsed by or affiliated with Cisco Systems, Inc. Cisco®, Cisco Systems®, CCDA?, CCNA?, CCDP?, CCNP?, CCIE?, CCSI?; the Cisco Systems logo and the CCIE logo are trademarks or registered trademarks of Cisco Systems, Inc. in the United States and certain other countries. All other trademarks, including those of Microsoft, CompTIA, Juniper ISC(2), and CWNP are trademarks of their respective owners.Powered by vBulletin® Version 4
Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Search Engine Optimization by vBSEO 3.6.0
No comments:
Post a Comment