Windows 11: Enable Ransomware Protection

KB ID 0001774

Problem

You can enable Ransomware protection to files and folders within Windows 11, (this assumes you have access to OneDrive).

Locate and Enable Ransomware Protection

Windows Button > Settings.

Search for “Windows Security”.

Virus & Threat Protection (If yours is not selectable see the video (above).

Locate Ransomware Protection.

Switch to ‘On‘.

Yes.

To se the folders currently being protected select ‘Protected Folders‘.

Here you can add any folders to the default ones.

Related Articles, References, Credits, or External Links

NA

Running Dropbox On Windows Server

KB ID 0001489

Problem

If you are here, you have probably already found out that Dropbox is not supported on Windows Server platforms. You can install it and set it up happily but it stops working and needs to be relaunched all the time (manually).

I love dropbox! So much I actually pay for it! I run it on my management server and its handy for copying file up into my test network, so I can appreciate how annoying it is having to restart it all the time. So to fix the problem we have to use a piece of software that’s over 15 years old! 

Running Dropbox as a Service on Windows Server

First you have to stop dropbox running.

Then download srvany and extract the executable to the Dropbox install directory (C:\Program Files (x86)\Dropbox). Note: This file is form the old Server 2003 resource kit.

From an elevated command prompt run the following command;

[box]sc create Dropbox binPath= “C:\Program Files (x86)\Dropbox\srvany.exe” DisplayName= “Dropbox Service”[/box]

Run services.msc > locate the dropbox Service  > And set its ‘LogOn’ to the account you were logged in with, when you installed the Dropbox software.

Change the startup type to Automatic, (Don’t start the service yet!) > OK.

Execute the following three commands;

[box]

New-Item -Path HKLM:\SYSTEM\CurrentControlSet\Services\Dropbox\Parameters

New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\Dropbox\Parameters -Name Application -PropertyType String -Value “C:\Program Files (x86)\Dropbox\Client\Dropbox.exe”

Start-Service Dropbox

[/box]

Update:

You also need to execute the following from an ‘Administrative command window’, (or Dropbox will stop synchronising after a few hours).

[box]

SETX /M QT_OPENGL software

[/box]

Related Articles, References, Credits, or External Links

Special Thanks to Frédéric for the SETX command to fix the timeout.

Get Free Cisco AnyConnect Licences For COVID-19 Homeworkers

KB ID 0001661

Problem

Cisco released information on their blog a few days ago to say that they would be offering free Umbrella, Duo and AnyConnect Licences to customers in the wake of the the COVID-19 outbreak.

Thats great news, but there’s no information on how to get the AnyConnect licences. It just says speak to your Cisco partner. As I am a Cisco partner I was confused, and it seems my colleagues were also. So I contacted Cisco Partner help, who passed me to licensing, who passed me to Cisco TAC, who opened a call. 24 hours later still no reply. Luckily by this time a colleague had managed to set this up for a client, and he pointed me in the right direction, (cheers Trev!)

Solution

Note: This procedure DOES NOT work for vASA or FTD. You can email licensing@cisco.com Subject: ‘COVID-19 AnyConnect License Request’. Provide your platform information, and smart account details, and they will provision licenses for your account that you can then assign via the usual methods.

Note: I exclusively work at command line, I realise some people are terrified of doing this, so if you want to work with activation keys and serial numbers in the ASDM then read this post.

Log into your Cisco Device (in my case a Cisco ASA) and get the serial number. (Issue a show version command).

Note: I would also take a copy of the Activation Key at this point paste it into Notepad and keep it somewhere safe.

Also from the show version command you will see I only have the factory default 2 AnyConnect premium licences.

You will need a Cisco CCO account, these are free to setup and once you have one you can log into the licensing portal, from there, (either using classic licences or SMART licences) > Get Licences > Demo and Evaluation > Security Products > AnyConnect Plus/Apex(ASA) Demo Licence and Emergency COVID-19 Licence > Next.

Enter the Serial Number of your ASA (from above), Here I asked for 10 users, you will get the maximum for your model of ASA, if you don’t know what the maximum is see this article > Next.

Review > Next.

You will get sent the licence by email, (this has a habit of going into spam!) But I download them directly anyway.

Heres you new activation key, copy it to the clipboard;

Excute the following commands;

[box]

Petes-ASA# configure terminal
Petes-ASA(config)# activation-key a27ed158 406176b7 799f41f2 6184be43 12345678
Validating activation key. This may take a few minutes...
The requested key is a timebased key and is activated, it has 91 days remaining.

[/box]

Now if you recheck your AnyConnect Licence count, it will match the maximum for your hardware.

I Need More! Sorry buddy, you need to replace the hardware with a larger one.

Related Articles, References, Credits, or External Links

AnyConnect 4 – Plus and Apex Licensing Explained

Cisco ASA 5500 AnyConnect Setup From Command Line

Windows – Lost / Forgotten Password?

KB ID 0000755

Problem

There are many reasons why you might want to do this, someone has managed to change a user password and that person is not available, you might simply have forgotten it. Or you might have been given a machine, or bought one from ebay that has come without a password. Also there have been a few times when a user has looked me in the eye and said “I’m typing my password in, but it’s not working”, I have never seen a password change on it’s own, so I will just put that down to the evil password gremlins.

The procedure will also work on the Windows local administrators password, just bear in mind that his account is disabled by default, (after Windows 8). This procedure will not work if the machine in question has had its hard drive encrypted using BitLocker.

You can use this procedure to blank, (or reset) a Domain Controllers DSRM (Directory Services Restore Mode) password.

You can avoid this procedure if you have access to another account on this machine that has administrative access. If you can log on as an administrator, then you can change the password of other local accounts on the affected machine without the need to do this.

Solution

How to Burn the ISO Disc Image

1. Download the Password Reset CD Image.

2. Download ImgBurn and install, Launch the program, if it does not look like this you need to select View >EX-Mode-Picker. Select the ‘Write image file to disc’ option.

2. The file you downloaded is a zip file that contains the disk image, you will need to extract the image from the zip file (i.e. drag it to your desktop). From within ImgBurn launch the browse option and navigate to the disk image you have just extracted > Open.

3. Select the burn to disc icon (Note: This will be greyed out, until there is a blank CD in the drive). The image is very small, it will not take long to burn.

Carry Out a Windows 8 Password Reset.

This procedure uses the boot CD you have just created, for it to work you need to make sure the machine will attempt to boot to its CD/DVD Drive before it boots to its hard drive. (Or it will simply boot into Windows again). This change in ‘Boot Order’ is carried out in the machines BIOS, how you enter this varies depending on machine vendor, when you first turn on the machine watch for a message that looks like Press {key} to enter Setup. Typically Esc, Del, F1, F2, or F9. When in the BIOS locate the boot order and move the CD/DVD Drive to the top of the list.

1. Boot your machine from your freshly burned CD, when you see this screen simply press {Enter} to boot.

2. Depending on how many disks/partitions you have it will discover them and assign a number to each one, here I only have 1 so I will type ‘1 {Enter}’.

Note: You may see a small 300Mb partition, ignore that. You may also see your machines recovery partition if it has one, if that’s the case you may have to carry out some trial and error to get the right one.

3. The system is set to look for the default registry location C:WindowsSystem32Config so simply press {Enter}. If it fails at this point you selected the wrong drive/partition.

4. We want password reset so select option 1.

5. We will be editing user data and passwords, so again select option 1.

6. You will be presented with a list of the user objects that it can locate, here I want to reset the password for the ‘PeteLong’ user object so simply type in the username you want to edit.

Note: As mentioned you can see here the administrator account is disabled, if you want to work with that account, you will need to unlock and enable it on the next screen before you blank or change the password.

7. You can choose option 2 and type in a new password, but I’m going the blank the password, then change it when I get back into the machine by selecting option 1.

8. To step back you need to enter an exclamation mark.

9. Enter a ‘q’ to quit.

10. To write the changes you have made enter a ‘y’.

11. As long as you are happy, and have no other accounts that need changing, enter ‘n’.

12. Now remove the boot CD, and press Ctrl+Alt+Delete to reboot the machine.

13. As the user object we are dealing with was the last one that has logged on, it will select that account as soon as the computer boots, and now it has a blank password it will automatically log on.

14. To change the password, press Ctrl+I > Change PC settings.

15. Users > Create a password.

16. Type and confirm your new password, and enter a password hint > Next.

17. Log off the account and test the new password.

 

Related Articles, References, Credits, or External Links

NA

VMware vSphere Virtual Machine Encryption

KB ID 0001470

Problem

Other that learn this for an exam I’ve never had to deploy this in anger. So when I heard we had a customer at work who wanted to take a look at it I was quite keen to take a look.

To encrypt a VM you need to have an additional KMS (Key Management server) which VMware do not provide. They do provide a list, so theres no point me posting a list that will be out of date in a couple of weeks. Our client expressed a preference for HyTrust, so that’s what I ran with

WARNINIG: You need vCenter 6.5 or above to do VM encryption

Deploy HyTrust KMS Server

At time of writing the current version is 4.2.1 you can get a 60 trial if you want to give it a test.

Pull down the appliance and deploy the OVF into your environment;

VMware vSphere – How to Import and Export OVF and OVA Files

Go get a coffee, when deployed, connect to the console set a console password, and follow the instructions until it tells you to connect via a browser.

Connect via a browser (default username and password is secroot), Change the password when prompted, and proceed to KMIP. By default the service is disabled so enable it. (Take note of the port number, 5696 you will ned this later!)

Client Certificates > Action > Create Certificate > Give it a name, and leave the password section blank.

Actions > Download certificate > Save the Zip file, if you open it you will find two PEM files, (you only actually need the one that has the same name as you used above).

Over on your vCenter  > Select the vCenter > Configure > Key Management Servers > Add.

Supply a name, the IP address of the appliance, and the port number > OK > Yes.

Trust.

Select the KMS > Establish trust with KMS.

Upload a certificate and private key > OK.

Paste in the SAME PEM FILE into both top and bottom windows. (The one with the name you chose, and downloaded earlier) > OK.

If you have done everything right all the status lights should ‘go-green’

You can now create a VM Storage Encryption Policy. (Well you can create one first, but without a KMS server, nothing will get encrypted).

Part Two: VMware: Creating a Storage Encryption Policy

Related Articles, References, Credits, or External Links

NA

Cisco AnyConnect – With Google Authenticator 2 Factor Authentication

KB ID 0001256 

Problem

This was asked as a question on Experts Exchange this week, and it got my interest. A quick search turned up a bunch of posts that said, yes this is possible, and you deploy it with FreeRADIUS and it works great. The problem was, a lot of the information is a little out of date, and some of it is ‘wrong enough’ to make the non-technical types give up. But I persevered, and got it to work.

Disclaimer: This is not an exercise in deploying AnyConnect, I’ve got that covered to death all over the website, use the search function above, or simply go to the following article;

Cisco ASA 5500 AnyConnect Setup From Command Line

So before proceeding I’ll assume you have AnyConnect setup, and you can connect with a local username.

Disclaimer 2: Please don’t email me with questions like, “Can I take this and integrate it with Active Directory, eDirectory” etc. Or “I’m trying to get this to work with ‘insert name of some Linux distro” and I’m getting an error. 

Prerequisite: You will need to have the Google-Authenticator app on a device, (probably an IOS or Android phone), and have that running, and ready to accept a new identity/account.

Solution

Setup FreeRADIUS

I’m not a Linux guru, I just downloaded the latest version of Ubuntu Server (16.04.1 at time of writing). and deployed it as an ESX host.

Non Linux Types Note: A lot of the commands below require you to either be logged on as root, or ‘su‘ to root, (if that’s not an option, you will need to prefix the commands with ‘sudo‘.

Ubuntu Enable Root Account: I quickly learned that these days the root account is disabled, (for sensible reasons). However because of the way FreeRADIUS works, it needs to run under the root account.

[box]

sudo passwd root
ENTER AND CONFIRM PASSWORD
sudo passwd -u root

[/box] 

Ubuntu: Install Prerequisites: We need to get all current updates, then install NTP, (because the authenticator keys are time specific). Then there are some tools that we will need to install the Google Authenticator software. 

[box]

apt-get update
apt-get install autotools-dev
apt-get install autoconf
apt-get install libtool
apt-get install ntp
apt-get install build-essential libpam0g-dev freeradius git libqrencode3 

[/box] 

Install Google Authenticator: This is quite cool, (if like me you don’t do a lot of Linux). We need to connect to a folder on a web server, then move into that ‘Directory’ and install the software. 

[box]

cd ~
git clone https://github.com/google/google-authenticator.git
cd google-authenticator/libpam/
./bootstrap.sh
./configure
make
make install

[/box] 

 Configuring FreeRADIUS and Google-Authenticator 

Ubuntu has nano installed by default thats what I’m going to use, if you’re a sandal wearing ‘vi’ user, then feel free to use that instead.

First we are going to change FreeRADIUS, so it runs under the ‘root’ account.

[box]nano /etc/freeradius/radiusd.conf[/box]

At the bottom of the file, change the user and group from freerad to root, save the file and exit.

Like so:

 

Next we are going to create a group called radius-disabled, then if you need to deny a user access, you can simply make them a member of this group.

[box]addgroup radius-disabled[/box]

Then configure FreeRADIUS to reject members of that group.

[box]nano /etc/freeradius/users[/box]

Locate the lines indicated below;

Change and un-comment them, to add the following text;

[box]

DEFAULT Group == "radius-disabled", Auth-Type := Reject
        Reply-Message = "Your account has been disabled."
DEFAULT Auth-Type := PAM

[/box] 

So it looks like below, then save and exit the file;

Enable Pluggable Authentication Mode (PAM): Edit the following file;

[box]nano /etc/freeradius/sites-enabled/default[/box]

Locate the line with ‘pam’ in it and uncomment it (remove the hash/pound sign), like so

Before;

After;

Exit and save the changes.

Configure FreeRADIUS to use Google Authenticator: Edit the following file;

[box]nano /etc/pam.d/radiusd[/box]

Locate all the lines that start with an ‘@’ symbol and comment them out, (prefix them with a “#”), then paste the following text onto the end of the file;

[box]

auth requisite /usr/local/lib/security/pam_google_authenticator.so forward_pass
auth required pam_unix.so use_first_pass

[/box]

Before;

 

After;

Testing Google-Authenticator and FreeRADIUS

The easiest way to do this is setup a test user, then create a password for them, then assign a Google-Authenticator Code to that user, on your Linux server;

[box]

adduser tommytester
ENTER AND CONFIRM PASSWORD
su tommytester
ENTER THE PASSWORD
google-authenticator

[/box]

Now you can either scan the QR code into the Google Authenticator app on your phone, or type in the ‘secret-key‘. 

Once done, you should be looking at a 6 digit number, that changes every 30 seconds;

 

Test Authentication on the FreeRADIUS Server first! To do that issue the following command;

[box]radtest tommytester password456743 localhost 18120 testing123[/box]

Note: the password for tommytester is ‘password‘ and the 6 digit code is added to the end of it, the testing123 value is set within FreeRadius in the /etc/freeradius/clients.conf file.

Successful Authentication

[box]

tommytester@RADIUS-HOST:/home/petelong$ radtest tommytester password302971 localhost 18120 testing123
Sending Access-Request of id 165 to 127.0.0.1 port 1812
 User-Name = "tommytester"
 User-Password = "password302971"
 NAS-IP-Address = 192.168.110.85
 NAS-Port = 18120
 Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=165, length=20
tommytester@RADIUS-HOST:/home/petelong$

[/box]

Unsuccessful Authentication

[box]

tommytester@RADIUS-HOST:/home/petelong$ radtest tommytester password302973 localhost 18120 testing123
Sending Access-Request of id 36 to 127.0.0.1 port 1812
 User-Name = "tommytester"
 User-Password = "password302973"
 NAS-IP-Address = 192.168.110.85
 NAS-Port = 18120
 Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=36, length=20
tommytester@RADIUS-HOST:/home/petelong$

[/box]

Troubleshooting: If there’s a problem, make sure that the time on the FreeRADIUS server is correct, (is NTP getting blocked at the firewall?) Then what I do is, SSH into the server from another session, and enable debugging, then back at the console test authentication again, then you can see the debugging output on the other screen, which will point you in the right direction.

To enable debugging;

[box]

service freeradius stop
freeradius -XXX

[/box]

Add the Cisco ASA Firewall as a RADIUS Client: You need to add the firewall as a ‘client’ before it can authenticate. Edit the following file;

[box]nano /etc/freeradius/clients.conf[/box]

Add the following test to the end of the file, (cisco123 is the shared secret we will enter on the ASA later);

[box]

client 192.168.110.1 {
 secret = cisco123
 shortname = CiscoASA
 nastype = cisco
}

[/box]

Configure Cisco ASA for FreeRADIUS Authentication

On the ASA you create an AAA group, set its authentication type to RADIUS, then add the FreeRADIUS server as a host, specify the secret key you used above. REMEMBER you need to specify the ports or authentication will fail, (you get a no response error).

[box]

aaa-server PNL-RADIUS protocol radius
aaa-server PNL-RADIUS (inside) host 192.168.110.85
 authentication-port 1812
 accounting-port 1813
 key cisco123
 radius-common-pw cisco123
 exit

[/box]

 The ASA also need to have the correct time for authentication to work, I’ve covered that elsewhere, run through the following article;

Cisco ASA – Configuring for NTP

Change AnyConnect AAA Authentication Method: With nothing set, your AnyConnect is probably using its LOCAL database of usernames and passwords, we now need to change it to use the RADIUS host we just setup. You do that in the AnyConnect’s ‘tunnel-group general-attribures’  section. Issue a show run tun command, to see the tunnel groups listed.

[box]

Petes-ASA# show run tun
tunnel-group ANYCONNECT-PROFILE type remote-access
tunnel-group ANYCONNECT-PROFILE general-attributes
 address-pool ANYCONNECT-POOL
 default-group-policy GroupPolicy_ANYCONNECT-PROFILE
tunnel-group ANYCONNECT-PROFILE webvpn-attributes
 group-alias ANYCONNECT-PROFILE enable

[/box]

Then add your RADIUS GROUP as the authentication server.

[box]

Petes-ASA# tunnel-group ANYCONNECT-PROFILE general-attributes 
Petes-ASA(config-tunnel-general)# authentication-server-group PNL-RADIUS

[/box]

Test RADIUS Authentication on the Cisco ASA First: I’ve covered this in the past see the following article;

Cisco – Testing AAA Authentication (Cisco ASA and IOS)

Remember that the password will be the user password, followed by the 6 digit number displayed on the authenticator.

[box]

Petes-ASA# test aaa-server authentication PNL-RADIUS host 192.168.110.85 username tommytester password password125689
INFO: Attempting Authentication test to IP address <192.168.110.85> (timeout: 12 seconds)
INFO: Authentication Successful
Petes-ASA#

[/box]

Or. if you prefer to use the ASDM;

Finally you can test authentication from your remote AnyConnect client.

 

Related Articles, References, Credits, or External Links

NA

How to Convert .M4a Tracks to .Mp3

KB ID 0000908 

Problem

I know M4a is essentially Mp4 anyway, but I have all my music in Mp3 format, and I can’t play an M4a file in my car!

Solution

Here I’m just converting one M4a file, but if you have a lot, the procedure is exactly the same.

1. Place your M4a file(s) in a folder > Open iTunes > File > Add Folder to Library > Navigate to your folder and select it.

2. File > Preferences > Import Settings > Select MP3 Encoder > (You will notice I’ve turned up the encoder settings for better quality) > OK > OK.

3. Search for the track(s) you have imported > Right Click > Create MP3 Version.

4. It will take a little while to convert. when it’s finished you will see two copies of your track(s). One will be the original M4a track and the other will be the new Mp3 version. At this point you can delete the M4a files(s) if you no longer require them.

 

Related Articles, References, Credits, or External Links

How to Convert FLAC files to MP3 (For Free)

Securing Cisco SSL VPN’s with Certificates

KB ID 0000335

Problem

It’s been a while since I wrote a walk though on the Cisco AnyConnect/SSL VPN solution, and usually I secure these with Active Directory or simply using the local user database on the firewall. But what if you wanted to use certificates instead? Perhaps your users are too “technically challenged” to remember their passwords. Or you want to enable two factor authentication with usernames/passwords AND certificates (something you know and something you have).

Solution

Step 1: Setup the ASA as a Certificate Authority

After version 8 Cisco included a complete CA solution in the firewall with a web front end. to use it we need to a) turn it on, b) give it an email address, c) provide a subject name, and finally d) create a unique pass phrase to generate the root certificate from.

Connect to the firewall and carry out the following,

[box]

PetesASA>
PetesASA> en
Password: ********
PetesASA# conf t
PetesASA(config)# crypto ca server
PetesASA(config-ca-server)# smtp from-address pnlCA@petenetlive.com
PetesASA(config-ca-server)# subject-name-default cn=pnlCA, o=petenetlive, c=GB
PetesASA(config-ca-server)# no shutdown

% Some server settings cannot be changed after CA certificate generation.
% Please enter a passphrase to protect the private key
% or press return to exit
Passphrase: ********

Re-enter passphrase: ********

Keypair generation process begin. Please wait...

Completed generation of the certificate and keypair...

Archiving certificate and keypair to storage... Complete
INFO:
Certificate Server enabled.
PetesASA(config-ca-server

[/box]

To do the same via ASDM connect to the ASDM > Navigate to Configuration > Remote Access VPN > Certificate Management > Local Certificate Authority > CA Server > Fill in the details > Apply.

To check that the CA Server is up and running issue a “show crypto ca server” command.

[box]


PetesASA# show crypto ca server

Certificate Server LOCAL-CA-SERVER:
Status: enabled <--Good!
State: enabled <--Good!
Server's configuration is locked (enter "shutdown" to unlock it)
Issuer name: CN=PetesASA.petenetlive.com
CA certificate fingerprint/thumbprint: (MD5)
774e1fe0 27495b35 019a9874 7507d8a9
CA certificate fingerprint/thumbprint: (SHA1)
93414d52 5f23e510 0f7f8fc2 857e3c86 d5687286
Last certificate issued serial number: 0x1
CA certificate expiration timer: 12:33:29 UTC Sep 30 2013
CRL NextUpdate timer: 18:33:29 UTC Oct 1 2010
Current primary storage dir: flash:/LOCAL-CA-SERVER/

Auto-Rollover configured, overlap period 30 days
Autorollover timer: 12:33:29 UTC Aug 31 2013
PetesASA#

[/box]

Step 2: Obtain a Client Certificate

If you have a LOT of these you can set them up and send them by email directly, I’m just going to do this one manually, By default your webvpn probably isn’t enabled on the “inside” so lets turn that on.

[box]

PetesASA#
PetesASA# conf t
PetesASA(config)# webvpn
PetesASA(config-webvpn)# enable inside
INFO: WebVPN and DTLS are enabled on 'inside'.
PetesASA(config-webvpn)# exit
PetesASA(config)#

[/box]

To do the same via ASDM connect to the ASDM > Navigate to Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles > Tick both the inside options > Apply.

Now I’m going to create a user, and a “One Time Password”.

[box]


PetesASA(config)#
PetesASA(config)# crypto ca server user-db add petelong
INFO: User added as 'petelong'
PetesASA(config)# crypto ca server user-db allow petelong display-otp
Username: petelong
OTP: 010B3B9F500F7142 <--your user will need this!
Enrollment Allowed Until: 12:43:23 UTC Mon Oct 4 2010

PetesASA(config)#

[/box]

Via ADSM it’s a little more convoluted, you need to add the user then view/re-generate the OTP.

Open a web browser and got to https://{ip or name of firewall}/+CSCOCA+/enroll log in with the details you created above.

When prompted download the certificate and put it on the machine that requires secure access. Simply double click it and import it (it should import into the “Personal Certificates” folder.) – if you are prompted for a password you enter the OTP from above.

Step 3: Change the VPN authentication to Certificate.

First lets check that enrolment was successfully with a “show ca server user-db” command.

[box]


PetesASA(config)# show crypto ca server user-db
username: petelong
email: <None>
dn: <None>
allowed: 12:43:23 UTC Mon Oct 4 2010
notified: 1 times
enrollment status: Enrolled, Certificate valid until 12:47:25 UTC Sat Oct 1 2011,<--Good!
Renewal: Allowed

PetesASA(config)#

[/box]

Change the webvpn authenticate to certificate. Note your SSL tunnel group WILL have different name.

[box]

PetesASA# conf t
PetesASA(config)# tunnel-group SSL-VPN-POLICY webvpn-attributes
PetesASA(config-tunnel-webvpn)# authentication certificate
PetesASA(config-tunnel-webvpn)# exit
PetesASA(config)#

[/box]

To use usernames AND certificates use “both” instead of “cert”, to Revert back to usernames enter “aaa”

Via ASDM

Step 4: Test

Connect to the VPN portal and you should now be prompted for certificate authentication.

 

Related Articles, References, Credits, or External Links

AnyConnect VPN

Cisco ASA 5500 – Using a Third Party Digital Certificate (For Identification, AnyConnect, and SSL VPN)

Cisco AnyConnect – Essentials / Premium Licenses. Explained

KB ID 0000628 

Problem

Note: With Anyconnect 4 Cisco now use Plus and Apex AnyConnect licensing.

When Cisco released the 8.2 version of the ASA code, they changed their licensing model for AnyConnect Licenses. There are two licensing models, Premium and Essentials.

Solution

Cisco ASA AnyConnect Premium Licenses.

You get two of these free with your firewall*, with a ‘Premium License’ you can use the AnyConnect client software for remote VPN Access, and you can access Clientless SSL facilities via the web portal.

*As pointed out by @nhomsany “The two default premium licenses available are NOT cross-platform, (i.e. only Mac or Windows).

Additionally you can use this license’ model with the Advanced Endpoint Assessment License’, this is the license’ you require for Cisco Secure Desktop. You can also use this license’ with the AnyConnect Mobile license’ for access from mobile devices like phones or tablets, (both these licenses are an additional purchase).

For most people wishing to buy extra AnyConnect licensing, this will be the one you want. Their type and size differ depending on the ASA platform in question, e.g. the 5505 premium licenses. are available as 10 session and 25 session licenses. the 5510 are in 10, 25, 50, 100 and 250 Sessions. (Note: These are correct for version 8.4 and are subject to change, check with your re seller).

Failover: If you are using failover firewalls you can (but don’t have to) use a shared license’ model, this lets you purchase a bundle of Premium licenses. and share them across multiple pieces of hardware, This requires an ASA to be setup as the license’ server’. Before version 8.3 you needed to purchase licenses for both firewalls. After version 8.3, Cisco allowed the licenses. to be replicated between firewalls in a failover pair. The exception is Active/Active where the amount of licenses. is aggregated together from both firewalls and ALL are available providing the figure does not exceed the maximum for the hardware being used.

Cisco ASA AnyConnect Essential Licenses

When you enable ‘Essential Licensing’, your firewall changes it’s licensing model and the two Premium licenses. you get with it are disabled*. The Firewall will then ONLY accept AnyConnect connections from the AnyConnect VPN client software.

Note: The portal still exists, but can only be used to download the AnyConnect Client Software.

With Essentials licensing enabled, the firewall will then accept the maximum VPN sessions it can support for that hardware version (see here), without the need to keep adding licenses.

Note: Remember these are “Peer VPN Sessions”. If you have a bunch of other VPN’s (including IPSEC ones), then these are taken from the ‘pot’.

Additionally, you can also use this license’ with the AnyConnect Mobile license’ for access from mobile devices like phones or tablets, this license’ is an additional purchase.

Failover: Prior to version 8.3, if you have failover firewalls and are using Essentials licenses you need to purchase an Essentials license’ for BOTH firewalls. After version 8.3 Cisco allowed the licenses. to be replicated between firewalls in a failover pair.

Cisco ASA Maximum VPN Peers / Sessions

5505 = 25
5510 = 250
5520 = 750
5540 = 5,000
5550 = 5,000
5580 = 10,000

Next Generation Platform (X)

5512-X = 250
5515-X = 250
5525-X = 750
5545-X = 2500
5555-X = 5000
5585-X = 10,000

*To re-enable the built in Premium Licenses. you need to disable Essentials licensing by using the ‘no anyconnect-essentials” command or in the ASDM> Configuration > Remote Access VPN > Network (Client) Access > Advanced > AnyConnect Essentials.

Related Articles, References, Credits, or External Links

Cisco ASA5500 AnyConnect SSL VPN 

Cisco AnyConnect Mobility License’

Cisco ASA 5500 – Adding Licenses

 

Installing the BackTrack Linux VMware Virtual Machine

KB ID 0000631

Problem

I’m fortunate enough that VMware gave me a free copy of VMware Workstation, but there’s nothing to stop you carrying out this procedure with the FREE VMware player.

BackTrack Linux is an operating system that is primarily used for security auditing, and penetration testing. I’m going to be playing with it a bit in the coming weeks, so I thought I’d at least document how to get it running.

Note: There is a bootable CD version available, if you would prefer to use that instead.

Solution

1. Head over to BackTrack and download your virtual machine files.

2. Once downloaded, extract the files to a folder on your computer.

3. Make sure the files have extracted.

4. From within VMware Workstation, File > Open.

5. Navigate to the .vmx file that’s in the files you extracted earlier > Open.

6. After a few seconds you should be able to power on the virtual machine.

7. Always select “I moved it” UNLESS you are going to run more than one, then choose “I Copied it”.

8. The default username is root and the default password is toor. You will then need to execute a startx command to bring up the GUI interface.

9. Job done, enjoy!

Related Articles, References, Credits, or External Links

NA