06-25-2008 03:31 AM - edited 03-11-2019 06:04 AM
Hi all
We are planning to authenticate the remote site VPN users using certificates, presently they are authenticating with ADS server. we are planning to use our own certificate server. can any body tell me how to configure this certificate authentication for remote site vpn.
Any documentation really help me.
thanks in advance
06-25-2008 05:11 AM
Hi,
If you use ASA:
Look at ASA/PIX 7.x and VPN Client IPSec Authentication Using Digital Certificates with Microsoft CA Configuration Example
Link: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008092d8f1.shtml
ASA/PIX 8.x and VPN Client IPSec Authentication Using Digital Certificates with Microsoft CA Configuration Example
Link:http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080930f21.shtml
If you use IOS router
Configuring IPSec Between Cisco IOS Routers and Cisco VPN Client Using Entrust Certificates
Link:http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800948e3.shtml
I hope this helps.
Best regards.
Massimiliano.
06-25-2008 06:10 AM
Thanks for the reply.
i will check and reply back.
Is there any datasheet or rfc document, that how exactly certification works as authentication.
How asa gets certificate from CA server (Which ports it will use, and how exactly it works).
06-25-2008 06:25 AM
here we are not pointing to any particular CA server, how does asa know the CA server and download the certificate.
06-25-2008 07:41 PM
refer to the documentation for "crypto ca trustpoint", "crypto ca authenticate" and "crypto ca enroll" commands.
06-26-2008 01:13 AM
First of all thanks for the reply.
Here I want to use a seperate server,
After intiating the command
crypto ca enroll CA , how does it point to Third party server(How it finds out the certificate server)?
How does it receive the certificate and where asa will save it.
If you need any updates from me, i will provide my inputs.
01-27-2010 06:48 AM
You need to import the CA certificate into your ASA that signed your client certificate. Then tick the option Configuration > Remote Access VPN > Clientless SSL VPN Access > Connection Profiles 'Require client certificate'. Then in your connection profile choose auth method as AAA as you are not doing cert auth. When you connect to ASA with your IE browser, you should be prompted to choose a client certificate to use for your connection to the ASA. I don't think this works for Firefox as it won't have access to your Windows certificate store. The ASA should look through all its CA trustpoints to find one that matches the CA that signed your client cert, thereby validating your identity. I have only tried this with a Windows user certificate, not a machine certificate.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: