Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1341
Views
0
Helpful
4
Replies

Any Verisign/Symantec VIP Users Out There - SA540

doug_counsil
Level 1
Level 1

‎07-17-2012 10:11 PM

We have a Cisco SA540.  It has been an extremely reliable UTM  router.  Other than SSL VPN not working for Mac OSX, we are very pleased  with the unit.

We have a 3 year contract for IPS, a 3 year contract  for Trend Micro Protectlink Web, and a 3 year contract for Small  Business Support Service for the unit.

Right now we are trying to setup the VIP functionality  but it is not going very well.  To sum it up in a few words, we cannot  get the SA540 to prompt the SSL VPN users to enter the 6-digit access  code.

We setup an account at Verisign and requested a trial  for VIP.  They promptly setup the trial account.  Getting everything  setup was a breeze.  The Verisign website is very well documented.  They  even had specific instructions for Cisco SA500 Series routers!!!  We  were very impressed with Verisign's implemenation.  We are able to get  our SA540 to talk to Verisign (basically, when we activate or deactivate  an SSL VPN VIP user in the SA540 web GUI, you can immediately see it  enabling or disabling the user on the Verisign website... it is very  cool).

Unfortunately no matter what we do, we cannot get the  SA540 to prompt the SSL VPN user to enter the one time 6-digit code.  In  this case, we are using Verisign's iPhone app called 'VIP Access'.

I called into the SBSC and talked to a guy.  I felt  really bad for him.  He used WebEx to log into my desktop and I showed,  and explained, to him how all of it worked (setting up VIP in the SA540  web GUI, as well as, and the Verisign website).  He had no clue about  Verisign, VIP, or the two-factor authentacation concept at all.  I told  him that he needed to escalate my case to the SA500 Series team, but of  course he had to try and help me out himself first.  He was supposed to  call me back yesterday or today.  I am sure he is dreading calling me  back as he probably still has no clue.

Does anyone here use the VIP functionality?  Or at  least know how it works so they can help me set it up?  We would like to  at least get it to work before our 30-day trial period is up.  I have a  distinct feeling that the functionality used to work, but Cisco hasn't  kept up the firmware with all the latest back-end API calls to Verisign  or something similiar.

Labels:
0 Helpful
4 Replies 4

Tom Watts
VIP Alumni
VIP Alumni

‎07-31-2012 08:21 PM

Hello Curtis, I'd like to verify your process. I will assume the SSL is set up and that is working fine. Once the SSL stuff is done please verify the following;

VPN -> Verisign ID Protection -> VIP Configuration

Enable VeriSign Identity Protection [x]

Service Type [VIP Pilot/Developer Test Drive]  <--- Since you're using the free trial it cannot be selected for VIP Production

Certificate File [correct path]

Password for the certificate file: [xxxxxxxxx]

UPLOAD

VPN -> Verisign ID Protection -> Credential Management

Add

Credential ID [xxxxxx]

User [VPN User]

Apply

Under the action, ensure to Activate

Once this is completed, reboot the router and attempt to authenticate to the correct SSL portal using the user associated.

https://ipaddress/portal/SSLVPN

Please keep in mind for the Verisign Token, it can only be used for 1 user. Also, be sure to have all Active X and Java able to run and disable any pop-up blocker.

Please let me know if this helps.

-Tom

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/
0 Helpful

doug_counsil
Level 1
Level 1
In response to Tom Watts

‎08-01-2012 10:15 AM

I have tried the scenario above, plus many others.  This device is in a production environment so I cannot tinker around with it until another scheduled maintenance window.

What's really interesting is that if I select 'Production', the router communicates with and updates Verisign (when activating and deactivating users).  If I select 'Pilot', the router states that that is cannot activate (or deactivate for that matter) users.  It produces an error.

FYI, when I login into Verisign it clearly states that I have a 'Trial' account at the top of the screen.

Perhaps you guys could attempt to re-produce our scenario in your lab, but using a trial Verisign account?

0 Helpful

Tom Watts
VIP Alumni
VIP Alumni
In response to doug_counsil

‎08-01-2012 11:11 AM

Send me a PM, I will open a case for you when I go to work today.

I need your serial number and Cisco ID.

I know there are some issues with the PIN not being presented for the second stage of authentication.

-Tom

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/
0 Helpful

Tom Watts
VIP Alumni
VIP Alumni
In response to Tom Watts

‎08-01-2012 03:14 PM

Curtis, reference 622640831.

Thanks for providing the information and hopefully a resolution is soon.

-Tom

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents