cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4092
Views
0
Helpful
16
Replies

SA520 SSL VPN Two Factor Authentication

Hello Everybody,

Has anyone got any experience with two factor setup with Symantec VIP?

I just fined setting it up and VIP Service and SA520 seems to be synchronizing correctly but device doesnt direct VPN users for second authentication ? any ideas                  

***Please rate all the useful posts***
-Prabath
16 Replies 16

doug_counsil
Level 1
Level 1

I don't think Cisco supports Verisign VIP any longer.  And, I don't think Verisign knows about it yet.

Here are a couple of threads that I have opened regarding VIP.  We are experiencing the exact same issues as you.  The router seems to communicate with and update Verisign, but the router will not prompt for the 6-digit number after the SSL VPN user logs in.

https://supportforums.cisco.com/thread/2157584?tstart=0

https://supportforums.cisco.com/thread/2160657?tstart=60

I have tried and tried to get Cisco to support VIP, but they won't answer any questions about it here on the forums, nor is SBSC any help.  I called, opened a case (the guy didn't give a case number though), and they promised to call me back the next day.  They never did.

Our trial ends very shortly.  We will reset our SA540 to factory defaults a few days before the trial ends just in case our SA540 shoots craps when the trial expires.  We (or I actually) have kept detailed notes regarding all of our settings.  I just hope that our 3-year licenses for IPS and Trend Micro ProtectLink Web remain intact.

I wish I had better news for you.

I just logged an TAC case and they advised me it should work but the TAC tech didnt have much knowledge of the device so he went looking for specilist for the device and suppose to get back to me tomorrow.will give you an update as soon as i have a reply

You should be able to get a back up of the current config from Administration Section

***Please rate all the useful posts***
-Prabath

That's great.  We don't have access to TAC.  We purchased a 3-year support contract from CDW (online) for our SA540, but that doesn't give us access to TAC.  We have to go through CDW (I guess?) if we want something entered into TAC.

Hey Curtis,Appearently its a Firmware issue and you need to contact TAC and obtain a working version of the Firmware.I just got mine sorted out by loading a beta version.Should have gone with lower end ASA series if i knew that this is going be such a pain

***Please rate all the useful posts***
-Prabath

Thanks for the heads up.  I opened a case with the CSBC and received a beta version as well.  We loaded it a couple of days ago and re-configured our router, but we did not have time to jack with the Verisign VIP stuff.  What version did you get?  I got 2.2.0.3_1.  Just curious so I can make sure we are on the same version.

Mine is 2.1.78 and the one i had was 2.1.78(this is the one that didnt work).when comparing to your 2.2.0.3_1 it seems like they have couple of major releases in between and i have no idea why they still giving away betas.something's just not right here

***Please rate all the useful posts***
-Prabath

The firmware they provided you was probably compiled to fix your specific issue (at one time or another).  2.1.78 would be much less risky to implement in a production environment than 2.2.0.3_1!

We specifically requested the latest beta firmware that is being regression tested right now.

yea that would be right as the Techo said they are planning to relase this version very soon but no ETA yet.hopefully woudnt have any more issues.

***Please rate all the useful posts***
-Prabath

As discussed in several other threads, it is costly to release each firmware release.  Not only do you have the cost of performing the requirements, design, coding, and testing, you have the cost of writing the documentation, including the release notes and open source PDFs.

For the reason above, I hope they skip the 2.1.78 release and put all of their efforts into 2.2.0.x (including any bug fixes they implemented in 2.1.78), so it can be released sooner.  We are going on 3 days of running 2.2.0.3_1 and it seems to be a solid build.

I will let you know though if the Verisign VIP trial works as soon as I get the approval to implement it.

Well I took the time to re-try implementing Verisign VIP and it is still exhibiting the same behavior.  Using 'Pilot' doesn't work (I can't activate users), but 'Production' does.  Unfortunately users still aren't prompted to enter the 6 digit code after logging in though.

2.1.78 must have been built specifically to fix Verisign VIP.  Hopefully they implement the same fixes into the 2.2.0.x firmware.  In the meantime I will need to contact the CSBC to get 2.1.78. 

2.1.78 does the same on validatation if you select Pilot and I raised the same question with the tech and he advised me that VIP is not a pilot anymore and the service they currently offer is a trial of the real thing.

***Please rate all the useful posts***
-Prabath

Good to know.  Thanks.

I still can't get our SA540 to prompt for the 6 digit code after logging into SSL VPN.    I have emailed the level 2 tech assigned to my case.  I'll let you know what I find out.  The last thing we need is for the VIP *fix* in 2.1.78 to get lost when 2.2.0.x goes live.

preranda78,

Please read your Private Messages.

Tech Support sent me a link for 2.1.78.  I don't think I will have the opportunity to deploy the new firmware for a few weeks.  I'll keep you guys' posted on whether or not I can get Verisign VIP to work with this firmware.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: