Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Register or Sign in
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
About Tor_in_Bergen
Community Record
9
Posts
3
Kudos
0
Solutions
Badges
Aug 15 2023
2:39 AM
Got links from Support describing requirements for the certificates and have now set up a test with self-signed certificates. Seeing that things work if the certificate has the correct setup. This is anyway client authentication so the client needs private keys, remember to use a template that has client authorization as its use. https://documentation.meraki.com/General_Administration/Other_Topics/Certificate_Requirements_for_TLS https://learn.microsoft.com/en-GB/troubleshoot/windows-server/networking/certificate-requirements-eap-tls-peap
... View more
Aug 10 2023
12:50 AM
The DART bundle is nice stuff! From the Anyconnect log in the bundle (from Cisco Secure Client) it’s looks like I do not have a VPN Profile. Therby If no certificate matching criteria is specified, Cisco Secure Client applies the following certificate matching rules: Key Usage: Digital_Signature Extended Key Usage: Client Auth Should like to know if this message means that the CA root cert is okey; "Description : Function: CTransportCurlStatic::PeerCertVerifyCB File: C:\temp\build\thehoff\Quicksilver_MR20.384855878117\Quicksilver_MR2\vpn\Api\CTransportCurlStatic.cpp Line: 1062 Return success from VerifyServerCertificate" AND is it actually possible to change the crypto dialog by changing the clients XML by using Cisco Secure Client Profile Editor? Seems like in the Certificate Matching module..? Open a support case in this matter yes..
... View more
Aug 9 2023
12:19 AM
Hi Alex, We have taken out the Root CA certificate as .cer (with BASE64 format)and uploaded it with the «Browse» button. Says «uploaded» but we are not sure it’s accepted. When we roll out a certificate to the client we taught it would be sufficient with a client certificate from the same issuer as specified in the root cert. The subject/owner is the client itself so it’s different from the root Ca cert. From a cryptography perspective we just want the AnyConnect server on the MX to accept all client certificates from the same issuer (our own CA) The Secure Client is able to see the client certificate but will not accept it, seems like our root CA cert is not accepted, there are some requirements we not fulfill for sure but wich...?
... View more
Aug 4 2023
12:23 AM
Hi Philip, We have found very little info about the cryptography in this matter, is it client auth in the process or not? We have used a workstation certificate template, not sure that’s the right one We have rolled out all the client certificates to the local machine store. When we uploaded our root certificate we expected AnyConnct to accept any client certificates issued to the local machine by our CA. Can you elaborate on what you mean here, how do we change crypto settings on the Anyconnect server on MX?
... View more
Aug 3 2023
5:03 AM
We are setting up AD authentication in the MX AnyConnect setting -its working fine until we enabled a certificate. The AnyConnect server on the MX supports client certificate authentication as a factor of authentication. If certificate authentication is enabled, the AnyConnect server will use the uploaded trusted CA certificate to validate authenticating clients before requesting for the users' credentials. We have a Windows CA in Enterprise mode, should we just export the Root certificate in PEM format, from Windows a file named .cer in Base64 format?? Manual says; With certificate authentication, the administrator uploads a .pem or .crt file of the issuing CA certificate to the MX. , Since we have our own CA we autoenroll a Workstation template based certificate to the end user's device. It's not working as we hoped - Any ideas?
... View more
Jan 18 2022
2:10 AM
The latest system updates from Microsoft have caused some trouble, listed under you will find the needed fixe to install; Windows 11, versjon 21H1 (opprinnelig versjon): KB5010795 Windows Server 2022: KB5010796 Windows 10, versjon 21H2: KB5010793 Windows 10, versjon 21H1: KB5010793 Windows 10, versjon 20H2, Windows Server, versjon 20H2: KB5010793 Windows 10, versjon 20H1, Windows Server, versjon 20H1: KB5010793 Windows 10, versjon 1909, Windows Server, versjon 1909: KB5010792 Windows 10, versjon 1607, Windows Server 2016: KB5010790 Windows 10, versjon 1507: KB5010789 Windows 7 SP1: KB5010798 Windows Server 2008 SP2: KB5010799
... View more
Jan 18 2022
2:08 AM
The latest system updates from Microsoft have caused some trouble, listed under you will find the needed fixe to install; Windows 11, versjon 21H1 (opprinnelig versjon): KB5010795 Windows Server 2022: KB5010796 Windows 10, versjon 21H2: KB5010793 Windows 10, versjon 21H1: KB5010793 Windows 10, versjon 20H2, Windows Server, versjon 20H2: KB5010793 Windows 10, versjon 20H1, Windows Server, versjon 20H1: KB5010793 Windows 10, versjon 1909, Windows Server, versjon 1909: KB5010792 Windows 10, versjon 1607, Windows Server 2016: KB5010790 Windows 10, versjon 1507: KB5010789 Windows 7 SP1: KB5010798 Windows Server 2008 SP2: KB5010799
... View more
Nov 26 2021
8:04 AM
2 Kudos
The simple fix is to change the encryption setting after the profile defined it as ‘Optional’ An example; Add-VpnConnection -Name “VPN Name” -ServerAddress “remote..” -TunnelType "L2tp" -EncryptionLevel "Optional" Then change values in the pbk file in use; $rasphone = "$env:USERPROFILE\Appdata\Roaming\Microsoft\Network\Connections\Pbk\rasphone.pbk" (Get-Content $rasphone) -replace 'DataEncryption=8', 'DataEncryption=256' | Set-Content $rasphone You need to check your file, but for now Microsoft sets the value to DataEncryption=8 if there is no visible encryption. MS dont know about the IPSEC solution in Meraki. Check your value by replace line 2 with this one; Get-Content $rasphone We've combined some of the scripts referenced in the tread, summarized under, it rolls out an VPN profile to logged-in user, tested Okey in Intune. The trick is in short, set Dataencrypion to Optinal and then change the pbk file ***** #Cloudflex AS # VPN with PAP over IPSEC for Meraki VPN [CmdletBinding()] param( [Parameter()][string]$Name='VPN Name', [Parameter()][string]$ServerAddress='remote.domain.com', [Parameter()][string]$PSK='The secret', [Parameter()][string]$DnsSuffix='remote.domain.com' ) $NeedsReboot = $false Add-VpnConnection -Name $Name -ServerAddress $ServerAddress -TunnelType "L2tp" -EncryptionLevel "Optional" -AuthenticationMethod PAP -L2tpPsk $PSK -RememberCredential -DnsSuffix $DnsSuffix -PassThru -Force -Confirm:$false If((Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\PolicyAgent\' -Name 'AssumeUDPEncapsulationContextOnSendRule' -ErrorAction SilentlyContinue) -eq $null) { New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\PolicyAgent\' -Name 'AssumeUDPEncapsulationContextOnSendRule' -Value 2 -PropertyType 'DWord' Write-Host 'Please reboot before attempting to connect.' -ForegroundColor Yellow $NeedsReboot = $true } $rasphone = "$env:USERPROFILE\Appdata\Roaming\Microsoft\Network\Connections\Pbk\rasphone.pbk" (Get-Content $rasphone) -replace 'IpInterfaceMetric=0', 'IpInterfaceMetric=1' | Set-Content $rasphone $rasphone = "$env:USERPROFILE\Appdata\Roaming\Microsoft\Network\Connections\Pbk\rasphone.pbk" (Get-Content $rasphone) -replace 'DataEncryption=8', 'DataEncryption=256' | Set-Content $rasphone
... View more
Nov 26 2021
6:58 AM
1 Kudo
The simple fix is to change the setting in $env:USERPROFILE\Appdata\Roaming\Microsoft\Network\Connections\Pbk\rasphone.pbk An example; $rasphone = "$env:USERPROFILE\Appdata\Roaming\Microsoft\Network\Connections\Pbk\rasphone.pbk" (Get-Content $rasphone) -replace 'DataEncryption=8', 'DataEncryption=256' | Set-Content $rasphone You need to check, but for now Microsoft sets the value to DataEncryption=8 Check your value by replace line 2 with this one; Get-Content $rasphone We've combined some of the scripts referenced below, summarized like this, it rolls out an VPN profile to logged-in user The trix is in short, set Dataencrypion to Optinal and then hack the pbk file ***** #Cloudflex AS # VPN with PAP over IPSEC for Meraki VPN [CmdletBinding()] param( [Parameter()][string]$Name='VPN Name', [Parameter()][string]$ServerAddress='remote.domain.com', [Parameter()][string]$PSK='The secret', [Parameter()][string]$DnsSuffix='remote.domain.com' ) $NeedsReboot = $false Add-VpnConnection -Name $Name -ServerAddress $ServerAddress -TunnelType "L2tp" -EncryptionLevel "Optional" -AuthenticationMethod PAP -L2tpPsk $PSK -RememberCredential -DnsSuffix $DnsSuffix -PassThru -Force -Confirm:$false If((Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\PolicyAgent\' -Name 'AssumeUDPEncapsulationContextOnSendRule' -ErrorAction SilentlyContinue) -eq $null) { New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\PolicyAgent\' -Name 'AssumeUDPEncapsulationContextOnSendRule' -Value 2 -PropertyType 'DWord' Write-Host 'Please reboot before attempting to connect.' -ForegroundColor Yellow $NeedsReboot = $true } $rasphone = "$env:USERPROFILE\Appdata\Roaming\Microsoft\Network\Connections\Pbk\rasphone.pbk" (Get-Content $rasphone) -replace 'IpInterfaceMetric=0', 'IpInterfaceMetric=1' | Set-Content $rasphone $rasphone = "$env:USERPROFILE\Appdata\Roaming\Microsoft\Network\Connections\Pbk\rasphone.pbk" (Get-Content $rasphone) -replace 'DataEncryption=8', 'DataEncryption=256' | Set-Content $rasphone
... View more
My Top Kudoed Posts
© 2024 Cisco Systems, Inc.
