cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1788
Views
4
Helpful
11
Comments
gaushar7
Cisco Employee
Cisco Employee

Virtual Appliance (VA)/DNS Forwarders version 3.7.0 and AD Connector version 1.14.4 introduced Enhanced Authentication. This significantly improved the security of these important components.

We kindly request you upgrade to the latest versions: VA (version 3.7.1) and AD Connector (version 1.14.4), and transition to Enhanced Authentication as soon as possible.

Currently, both legacy and Enhanced Authentication methods are available to ensure business continuity for our customers. However, all customers must switch to Enhanced Authentication by the end of July 2025. Starting August 4, 2025, only Enhanced Authentication will be supported for VAs and AD Connectors. Failure to configure Enhanced Authentication by then will result in VAs and AD Connectors ceasing to sync, necessitating reinstallation to resume functionality.

Additionally, for organizations transitioning from Umbrella to Cisco Secure Access, we strongly advise upgrading to the latest versions of VAs (version 3.7.1) and AD Connectors (version 1.14.4) and configuring Enhanced Authentication prior to migration to ensure optimal performance.

Please reach out to us or the support team for any assistance regarding this matter.

Comments
ameluso
Level 1
Level 1

We are on VA 3.7.1 and AD Connector 1.14.4, however we do not see a setting for Enhanced Authentication in the dashboard. Is there documentation on how to turn this feature on?

ameluso
Level 1
Level 1

@Handy Putra Thank you. Am I reading that correctly. We will need to manually refresh the client key and secret every 90 days? Are we notified in someway?

gaushar7
Cisco Employee
Cisco Employee

@ameluso, every 90 days client key and secret will auto refresh. No manual intervention is required.

ameluso
Level 1
Level 1

@gaushar7 Thanks. I generated the client key and secret. Will that automatically configure the ADC and VA? Or do I need to update their configuration manually. The articles linked do not mention that. Also, is there any indication or way to tell if we are now using Enhanced Authentication.

Hello,

when I try to enter the KeyAdmin Key and KeyAdmin Secret under Deployments / Configuration / Sites and Active Directory / Settings / Manage credentials, I just get an Error that I can dismiss. No description, no help, nothing, just the message "Error"...

Greets, Leonardo

 

Bas S
Level 1
Level 1

We configured the API keys today. This was fairly painless for us. 

 

After creating the Key Admin API Key, and generating the client api key, they are activated automatically. No futher action needed.

 

We noticed that prior to this change, the API URL used was api.opendns.com (146.112.255.155). After configuring the new keys, the API URL changes to api.umbrella.com (146.112.59.20).  This could be an indicator the new key is used. It would be an enhancement if it would be visible somewhere else though. 

 

 

With the help of Cisco Support I was able to create the KeyAdmin Key: providing a CIDR address in Network Restrictions can cause the problem I faced.

 

I have the same question as @ameluso : is there anything to be done on the VAs or AD Connectors after creating the Client Key + Client Secret?

 

Besides the URLs provided by @Handy Putra I found the following article in the Umbrella documentation: Other Configurations

Configure the Client ID and Client Secret
Create a new set of Umbrella API client credentials in Umbrella. For more information, see Configure Authentication for Virtual Appliances.
With your generated Umbrella API client key and secret, run the config authcred set command:
config authcred set "<client_id>:<client_secret>"

 

And I agree with @Bas S that it would be good to be able to check how the VAs and AD Connectors are authenticating.

 

Greets, Leonardo

Hello,

the Cisco Support technician told me how to check if the client credentials have been updated on the VAs and AD Connectors:

 

On the VA execute the command: config authcred show

On the AD Connector check the content of the config.dat file in the installation folder.

 

In my environment the client credentials were automatically updated, I didn't need of manually change the configuration.

 

Greets, Leonardo

ameluso
Level 1
Level 1

I can confirm that what @LeonardoSchieder mentioned is reflected in our environment after add the Client API key and secret in the dashboard. I see it mentioned in the config.dat file and on the VA. Would be great if it was reflected in the dashboard as well.

jjthomas
Level 1
Level 1

I have made this change, and I can see the change reflected in the Config.dat file on our AD Connector. 

I am a little confused, though, from the instructions here. It seems to me that Step 1 and Step 2 are the required steps, and the sections Refresh API Key Credentials and Delete API Keys are not necessary to complete to make this authentication change. 

Additionally, I should expect to see the API Key to automatically rotate in 90 days.  

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: