|
|
81
« Last post by Exonix on June 28, 2018, 07:00:05 AM »
Hi, I'm trying to implement a S2S VPN IKEv2 between Cisco ASA 5510 and ISR 886VA. This VPN will use the certificates which are issued by Microsoft CA 2012 R2. I found a very You are not allowed to view links.
Register or Login how to configure NDES enrollment with Microsoft CA 2008 R2, but it seems doesn't work with 2012 R2. I have stopped on the step "checking the certificate" (5:30). I don't receive requested certificate. Moreover I don't see any requests on Microsoft CA. Although I got the root certificate. Could you please help me? Thank you in advance! #crypto pki enroll DC1-Domain-CA
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password:
Re-enter password:
% The subject name in the certificate will include: cn=886VA.domain.domain.local,ou=IT,O=domain,ST=city,C=DE
% The subject name in the certificate will include: 886VA.domain.domain.local
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]:
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The 'show crypto pki certificate verbose DC1-domain-CA' commandwill show the fingerprint.do sh cry pki cert
CA Certificate
Status: Available
Certificate Serial Number (hex): 47639D3E1676D78342B92E1556CD708F
Certificate Usage: Signature
Issuer:
cn=dc1.DOMAIN.DOMAIN.LOCAL
dc=DOMAIN
dc=DOMAIN
dc=LOCAL
Subject:
cn=dc1.DOMAIN.DOMAIN.LOCAL
dc=DOMAIN
dc=DOMAIN
dc=LOCAL
Validity Date:
start date: 18:21:20 UTC Dec 27 2015
end date: 18:31:20 UTC Dec 27 2020
Associated Trustpoints: DC1-DOMAIN-CAdo sh ver
Cisco IOS Software, C800 Software (C800-UNIVERSALK9-M), Version 15.3(3)M6, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2015 by Cisco Systems, Inc.
Compiled Tue 04-Aug-15 05:50 by prod_rel_team
ROM: System Bootstrap, Version 15.4(1r)T1, RELEASE SOFTWARE (fc1)
82
« Last post by pinyowit on June 24, 2018, 07:46:41 PM »
Thank you for this answer.
83
« Last post by robalvarado on June 05, 2018, 12:56:43 PM »
Hello Experts! Has anyone had experience deploying dot1x to Avaya phones using Cisco ISE? I have tried with horrible results... I've opened tickets with Avaya and they insist EAP-TLS has been enabled on the client side however each time I look a the radius logs the client sends an EAP-NAK and doesnt' even want to acknowledge the EAP exchange. So my hope is that someone here has had experience and if they could share that knowledge for the greater good  Warm Regards, -Rob
84
« Last post by MC on May 10, 2018, 09:44:35 PM »
Absolutely, AnyConnect NAM allows two different type of credential for user and machine. You just need to configure it accordingly with the profile editor.
85
« Last post by aris on May 07, 2018, 01:49:56 AM »
Hello,
We are using Anyconnect with EAP Chaining for machine and user authentication but it seems we are hitting bug CSCuc13862 for Win8 and Win10. As we don't want to use the registry workaround the solution would be to use certificates.
As we want to keep Anyconnect, is it possible to use certifacates for machine authentication and credentials for user authentication?
Thank you.
86
« Last post by Kaikagaga on April 19, 2018, 12:23:39 AM »
I think that this question is very good.
87
« Last post by MC on March 11, 2018, 09:06:31 PM »
The video uses ISR4K router running 16+ code so if you are using anything lower, you might have the issue. Some people have also reported the same. Some have suggested to put "crypto ikev2 authorization policy default" on the spoke side to force the hub to inject the route. Give it a try and see if that works.
88
« Last post by ChrisD777 on March 09, 2018, 05:16:32 AM »
Hi,
I have recreated the topology of the the FlexVPN series in my own lab (another great video series BTW!)
So far, everything has worked exactly as per the videos, but I have now hit a roadblock:
In SEC0257 (DVTI Part 2) I have configured R1 to assign Tunnel IP addresses from a local pool.
The Branch Routers get the negotiated IP address correctly, and both Tunnels (to BR1 and BR2) come up OK.
However, R1 does not get the auto-generated static routes to the Tunnel endpoints via the Virtual-Access interfaces.
This means I don't have reachability across the tunnels and am unable to set up BGP routing.
I am using IOL 15.4(2)T4 images on EVE-NG for my Routers, but swapped R1 to CSR1000V (IOS XE 03.17.00.S / 15.6(1)S ) to see if it would help (it didn't).
Any ideas?
R1#show ip route static
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
Gateway of last resort is 1.1.1.1 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 1.1.1.1
172.16.0.0/16 is variably subnetted, 6 subnets, 4 masks
S 172.16.0.0/16 [1/0] via 172.16.1.1
R1#show ip int brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet1 1.1.1.11 YES NVRAM up up
GigabitEthernet2 172.16.1.2 YES NVRAM up up
GigabitEthernet3 unassigned YES NVRAM administratively down down
GigabitEthernet4 unassigned YES NVRAM administratively down down
Loopback0 172.16.0.2 YES NVRAM up up
Loopback1 172.16.255.1 YES NVRAM up up
Virtual-Access1 172.16.255.1 YES unset up up
Virtual-Access2 172.16.255.1 YES unset up up
Virtual-Template1 172.16.255.1 YES unset up down
BR1#show ip int brief
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 2.2.2.2 YES NVRAM up up
Ethernet0/1 172.17.1.1 YES NVRAM up up
Ethernet0/2 unassigned YES NVRAM administratively down down
Ethernet0/3 unassigned YES NVRAM administratively down down
Loopback0 172.17.0.1 YES NVRAM up up
Tunnel1 172.16.255.61 YES NVRAM up up
89
« Last post by MC on February 28, 2018, 07:53:27 PM »
In that case, the ASA should have no influence on the TTL. You can try to turned off DNS inspection on the ASA too.
90
« Last post by Pankz on February 28, 2018, 03:47:17 AM »
Thanks MC for reverting.
No, the user PC is configured with our internal DNS servers.
|
Recent Posts