Cisco 5505 Administration Guide - Page 23
Example Set 2, Scenarios Where a User Might See the Security Alert, Scenario - 10 users
UPC - 882658082252
View all Cisco 5505 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 23 highlights
Chapter 2 Common AnyConnect VPN Client Installation and Configuration Procedures Before You Install the AnyConnect Client 3. The user connects successfully to security appliance #1. 4. The user disconnects from security appliance #1. 5. The user reconnects to badly configured security appliance #1. 6. The user does not see the pop-up dialog box, because the certificate is stored in the preferences file. The user connects successfully to security appliance #1. 7. The user disconnects from security appliance #1. 8. The user connects to correctly configured security appliance #2. 9. The user sees no dialog box and connects successfully. 10. The user disconnects from security appliance #2. 11. The user connects to badly configured security appliance #1. 12. The user sees a pop-up Security Alert dialog box prompt. Example Set 2 The following are examples of non-serious errors that result in a Security Alert dialog box prompting the user. • Invalid Common Name: The hostname in the certificate sent to us from the security appliance does not match the hostname that the user connected to. For example, the user connects to 10.94.147.93, and the certificate received from the security appliance contains cvc-asa06.cisco.com. 10.94.147.93 and cvc-asa06.cisco.com might or might not be the same machine. The Security Alert dialog box prompts the user to approve or disapprove the certificate. • Invalid Date: The certificate received from the security appliance has expired or is not yet valid. This could be because the date on the customer's machine is incorrect or because the certificate really is invalid. The Security Alert dialog box prompts the user to approve or disapprove the certificate. • Invalid Certificate Authority: The certificate received from the security appliance has been signed by a Certificate Authority that is not recognized by the AnyConnect client. The AnyConnect client prompts the user for approval/disapproval. Recommendation: The root certificate (certificate of the Certificate Authority) should be imported into the client machine out of band (via E-mail, website, floppy disk, CD, and so on). Example Set 3 The following are examples of serious errors that result in no Security Alert prompt and no connection. • Certificate cannot be read. • Bad password. • Certificate not sent to the client. • Bad Usage: Certificate received from the security appliance was not meant to be used as a server certificate. Scenarios Where a User Might See the Security Alert • Scenario A: The user gets the server certificate for their security appliance from a non-trusted certificate authority; for example, their own certificate authority or cacert.org. The user sees the Security Alert pop-up on the first connection attempt but never thereafter until he or she switches to a different security appliance and back. OL-12950-012 Cisco AnyConnect VPN Client Administrator Guide 2-5