07-17-2012 10:11 PM
We have a Cisco SA540. It has been an extremely reliable UTM router. Other than SSL VPN not working for Mac OSX, we are very pleased with the unit.
We have a 3 year contract for IPS, a 3 year contract for Trend Micro Protectlink Web, and a 3 year contract for Small Business Support Service for the unit.
Right now we are trying to setup the VIP functionality but it is not going very well. To sum it up in a few words, we cannot get the SA540 to prompt the SSL VPN users to enter the 6-digit access code.
We setup an account at Verisign and requested a trial for VIP. They promptly setup the trial account. Getting everything setup was a breeze. The Verisign website is very well documented. They even had specific instructions for Cisco SA500 Series routers!!! We were very impressed with Verisign's implemenation. We are able to get our SA540 to talk to Verisign (basically, when we activate or deactivate an SSL VPN VIP user in the SA540 web GUI, you can immediately see it enabling or disabling the user on the Verisign website... it is very cool).
Unfortunately no matter what we do, we cannot get the SA540 to prompt the SSL VPN user to enter the one time 6-digit code. In this case, we are using Verisign's iPhone app called 'VIP Access'.
I called into the SBSC and talked to a guy. I felt really bad for him. He used WebEx to log into my desktop and I showed, and explained, to him how all of it worked (setting up VIP in the SA540 web GUI, as well as, and the Verisign website). He had no clue about Verisign, VIP, or the two-factor authentacation concept at all. I told him that he needed to escalate my case to the SA500 Series team, but of course he had to try and help me out himself first. He was supposed to call me back yesterday or today. I am sure he is dreading calling me back as he probably still has no clue.
Does anyone here use the VIP functionality? Or at least know how it works so they can help me set it up? We would like to at least get it to work before our 30-day trial period is up. I have a distinct feeling that the functionality used to work, but Cisco hasn't kept up the firmware with all the latest back-end API calls to Verisign or something similiar.
07-31-2012 08:21 PM
Hello Curtis, I'd like to verify your process. I will assume the SSL is set up and that is working fine. Once the SSL stuff is done please verify the following;
VPN -> Verisign ID Protection -> VIP Configuration
Enable VeriSign Identity Protection [x]
Service Type [VIP Pilot/Developer Test Drive] <--- Since you're using the free trial it cannot be selected for VIP Production
Certificate File [correct path]
Password for the certificate file: [xxxxxxxxx]
UPLOAD
VPN -> Verisign ID Protection -> Credential Management
Add
Credential ID [xxxxxx]
User [VPN User]
Apply
Under the action, ensure to Activate
Once this is completed, reboot the router and attempt to authenticate to the correct SSL portal using the user associated.
https://ipaddress/portal/SSLVPN
Please keep in mind for the Verisign Token, it can only be used for 1 user. Also, be sure to have all Active X and Java able to run and disable any pop-up blocker.
Please let me know if this helps.
-Tom
08-01-2012 10:15 AM
I have tried the scenario above, plus many others. This device is in a production environment so I cannot tinker around with it until another scheduled maintenance window.
What's really interesting is that if I select 'Production', the router communicates with and updates Verisign (when activating and deactivating users). If I select 'Pilot', the router states that that is cannot activate (or deactivate for that matter) users. It produces an error.
FYI, when I login into Verisign it clearly states that I have a 'Trial' account at the top of the screen.
Perhaps you guys could attempt to re-produce our scenario in your lab, but using a trial Verisign account?
08-01-2012 11:11 AM
Send me a PM, I will open a case for you when I go to work today.
I need your serial number and Cisco ID.
I know there are some issues with the PIN not being presented for the second stage of authentication.
-Tom
08-01-2012 03:14 PM
Curtis, reference 622640831.
Thanks for providing the information and hopefully a resolution is soon.
-Tom
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide