12-10-2012 06:36 AM - edited 02-21-2020 06:32 PM
Hi Guys.
Just upgraded to newest version on anyconnect... asa running 8.4(4) 1
I only have this security warning :
Does anyone knows how to get rid of it ? , i have installed the cert on the client and have no warning when entering the https site for connecting / downloading the anyconnect client.
If i accept i will be logged on anyconnect and this will show up everytime connecting.
Please support.
12-10-2012 06:47 AM
Hi Filip,
You need in certificate that is used by HTTP Server (SSLVPN) to have Extended Key Usage (EKU) value of 'Server Authentication' .
You can use for it Cisco CA on IOS for some time already.
Example PKI Server configuration:
crypto pki server CA
grant auto
hash sha1
eku server-auth client-auth
Trustpoint:
crypto pki trustpoint CA-self
enrollment url http://10.1.1.2:80
fqdn 10.1.1.2
ip-address 10.1.1.2
subject-name cn=10.1.1.2,ou=TAC
revocation-check none
eku request server-auth
I hope it helps. Cheers.
12-11-2012 12:15 AM
Hi Piotr.
Yes i did read about this EKU change in cert , but im not able to use these commands in ASA IOS ?
12-12-2012 12:53 PM
>You can use for it Cisco CA on IOS for some time already<
Which IOS version is that , im trying with 15.1.4 on a 2801... still not able to use EKU command.
12-15-2012 11:44 PM
Hi,
Please refer to the bug CSCtl97326 which was feature request for EKU in PKI Server:
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtl97326
Based on this information it is added in:
15.1(1)SY
15.2(0.7.3)PIB17
15.2(0.0.10)PIL17
15.2(0.3.1)PIH16
15.2(1.5)T
15.2(1.5)S
15.1(1.4)DPB22
15.2(1.0.0)IPI2
In case of 15.1.4 I cannot check it without a trendline (T/S/M).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide