Remote Access VPN using RSA ID

Unanswered Question
May 20th, 2007
User Badges:

I want to configure remote access VPN using RSA ID.

i.e, instead of key command , I want client to endter the RSA ID. Is this possible . If yes, then could some help me out,please.

I am in bit urgency for this my management gave me this as a urgent requirement :-(


I am using 6500 switch with IPSEC/VPN accelerator module

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
ggilbert Mon, 05/21/2007 - 17:54
User Badges:
  • Cisco Employee,

Is your requirement to use certificates instead of pre-shared key, is that what you are trying to do?


Are you trying to build a site to site tunnel or a remote access connection?


What kind of a CA server are going to use?


Let me know, I can give you some documentation.


Thanks,

Gilbert

inghau Wed, 05/23/2007 - 18:49
User Badges:

Hi Gilbert,

I'm having similiar issue in my setup.

Is it possible to setup an remoteaccess vpn using self-signed certificate from ASA ?

If that was not possible can you point me some documentation how to configure the fastest way to configure it.


Thanks


ggilbert Thu, 05/24/2007 - 03:09
User Badges:
  • Cisco Employee,

Hi Perkom,


No - you can not use the self-signed certificate on the ASA for remote access VPN connections. You have to use a CA server for that purpose.


Self-signed certificate can be used only for the purpose of webvpn/ssl VPN connections for validation.


The easiest way to configure a remote access VPN connection is to use the VPN wizard on the ASDM. It guides through the step by step process.


Here is the configuration example for that.


http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008060f25c.shtml


Hope this is what you are looking for.


Rate this post, if it helps.


Cheers

Gilbert

inghau Thu, 05/24/2007 - 17:31
User Badges:

Hi Gilbert,


Thank you for your help.

I'd really appreciate it.

I'm planning to use Win 2003 CA Server but i can't find the guide how to configure the CA Server do you know where i can find those references ?


best regards,


Sab

inghau Thu, 05/24/2007 - 21:51
User Badges:

Hi Gilbert,


Thanks for your assistance. i'm currently developing the CA Server now

and following the instructions from the web page but when i try to authenticate there was some error.


What is the possible cause here ? perhaps you can point some directions to me :)


Best regards,

Sab


pdirect(config)# crypto ca authenticate cert

Crypto CA thread wakes up!


CRYPTO_PKI: Sending CA Certificate Request:

GET /CertSrv/mscep/mscep.dll/pkiclient.exe?operation=GetCACert&message=cert HTTP/1.0


CRYPTO_PKI: http connection opened


INFO: Certificate has the following attributes:

Fingerprint: 406e5696 459ecc7a e174e6ad 781e0cfd

Do you accept this certificate? [yes/no]: Crypto CA thread sleeps!

yes

% CA Cert not yet valid or is expired -

start date: 12:19:37 JAVT May 26 2007

end date: 12:28:13 JAVT May 26 2012

% Error in saving certificate: status = FAIL

pdirect(config)#

CRYPTO_PKI: status = 65535: failed to insert CA cert


pdirect(config)#


ggilbert Fri, 05/25/2007 - 12:57
User Badges:
  • Cisco Employee,

Sab,


What kind of a CA server is it that you using?


Can you please send me the information that you have configured for the CA server before authentication to the server.


Awaiting for your response.


Cheers

Gilbert

inghau Fri, 05/25/2007 - 18:48
User Badges:

Hi Gilbert,

I've configured a new 2003 Server, and the CA Server. and also install the SCEP Add-on on this server.


But the ASA seems failed to authenticate the CA eventough i 've following all the instructions here http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008073b12b.shtml#maintask1


the error message is on my previous message in these thread.

I suspect the CA configuration is need a little bit fine tuning.

But i can't find any guide how to finetune 2003 CA Server to match cico ASA.

Do you have any hints for me :)


best regards,


Sab


ggilbert Mon, 05/28/2007 - 19:57
User Badges:
  • Cisco Employee,

Sab


Sorry for the delayed response.



Can you please send me the output of


sh run | begin crypto ca trustpoint


Thanks

Gilbert

inghau Mon, 05/28/2007 - 20:34
User Badges:

Hi Gilbert,

That's okay i understand.

Currently the authentication issue is fixed now.

I configured the ASA and CA server using NTP.


I think the cisco guide shouldn't put OPTIONAL on the ASA_Cert.pdf guide.

I found that NTP is mandatory for these configuration.


Right now i can successfully configure the manual authentication and manual enrollment.

But i still can't import the PKCS#12 from the ASA to VPN Client.


Can i use manual certtificate authentication and enrollment in my configuration ?


Thanks

ggilbert Tue, 05/29/2007 - 04:45
User Badges:
  • Cisco Employee,

Sab,


For the VPN client, you have to get the certificate directly from the CA server itself. Not from the ASA.


Cheers

Gilbert

ggilbert Wed, 05/30/2007 - 05:34
User Badges:
  • Cisco Employee,

What I would do is, just get the CA certificate (Root certificate) from the CA server and then package my client.


So, when the user gets the CD, the root certificate is already there but they just need to access the CA server and get their own user certificate


Or You can just package the client and give the user the URL http://certserver/mscep.....

information and instructions on how to get the certificate.


Cheers

Gilbert

Actions

This Discussion