Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

AnyConnect 3.1.01065

Hi Guys.

Just upgraded to newest version on anyconnect... asa running 8.4(4) 1

I only have this security warning :

Does anyone knows how to get rid of it ? , i have installed the cert on the client and have no warning when entering the https site for connecting / downloading the anyconnect client.

If i accept i will be logged on anyconnect and this will show up everytime connecting.

Please support.    

Everyone's tags (1)
4 REPLIES
Cisco Employee

AnyConnect 3.1.01065

Hi Filip,

You need in certificate that is used by HTTP Server (SSLVPN)  to have Extended Key Usage (EKU) value of 'Server Authentication' .

You can use for it Cisco CA on IOS for some time already.

Example PKI Server configuration:

crypto pki server CA
grant auto
hash sha1
eku server-auth client-auth

Trustpoint:

crypto pki trustpoint CA-self
enrollment url http://10.1.1.2:80
fqdn 10.1.1.2
ip-address 10.1.1.2
subject-name cn=10.1.1.2,ou=TAC
revocation-check none
eku request server-auth

I hope it helps. Cheers.

New Member

AnyConnect 3.1.01065

Hi Piotr.

Yes i did read about this EKU change in cert , but im not able to use these commands in ASA IOS ?

New Member

Re: AnyConnect 3.1.01065

>You can use for it Cisco CA on IOS for some time already<

Which IOS version is that , im trying with 15.1.4 on a 2801... still not able to use EKU command.

Cisco Employee

Re: AnyConnect 3.1.01065

Hi,

Please refer to the bug CSCtl97326 which was feature request for EKU in PKI Server:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtl97326

Based on this information it is added in:

15.1(1)SY

15.2(0.7.3)PIB17

15.2(0.0.10)PIL17

15.2(0.3.1)PIH16

15.2(1.5)T

15.2(1.5)S

15.1(1.4)DPB22

15.2(1.0.0)IPI2

In case of 15.1.4 I cannot check it without a trendline (T/S/M).

937
Views
0
Helpful
4
Replies