IOS HTTP-server to support IOS Certificate Authority server

Maxim Zimovets · ‎12-17-2009

Hello!

I try to set up Certificate Authority server to support small vpn network . My CA-sever is IOS router with installed IOS version 12.4(18e). For CA-server to support my routers I need to start http-server on the CA-router. Right now the router has following relevant configuration:

!

aaa authentication login default group tacacs+ local enable

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ local

aaa authorization commands 15 default group tacacs+ local

!

ip http server

ip http max-connections 16

ip http path flash:

!

crypto pki server ca

cdp-url http://10.10.10.10/ca.crl

!

The process of certificate generation works prefect - I can obtain certificates easily.

The problem starts when routers tries to obtain CRL. CRL is located on the CA-router and should be accessed via plain http. But latest IOS http-servers require http authentication to connect to them. I tried several options to support authentication. But it's still without success. I have another requirement - one of device is Cisco VPN3K. And it's not possible (as far as I know) to set up some form of username/password.

Can anybody suggest some solution to suppress http-authentication? Or maybe there is some other solution to put CRL somewhere to be accessible?

Wait for any options.

Maxim

zvladov · ‎07-12-2010

Hello,

If still relevant, and still looking for an answer, here is what I faced as solutions:

1. Not to specify the CDP-URL at all (this is what I did) - makes it default to

check on each validation the CA server.

2. Offloading the list to a different HTTP only server, without any authentication

(I haven't done this)

I had the same issues - problems with CDP checking, but with different Cisco IOSes.

Nothing worked. First I thought it was the syntax, but no, then I thought was the HTTP

server - but again no, and so I have tried all the URL schemes and protocols,

but without any positive result. This was my experience with 12.4T(9).

When I implement the solution without specifing the CDP URL, then on each validation

check of the cert the CA is consulted for valid CRL list, and retrieves it and consults it.

This makes my Cisco Device a little bit loaded when the cert is checked but

there is always a price you have to pay.

My setup is not large <100 and it seems to work OK.

BR.

Z.V.

Jason Gervia · ‎07-12-2010

Did you try adding a default authentication list set to none, and add named authentication lists for your other AAA services? If you do that, and add 'ip http authentication aaa', that should help with the authentication portion

After that, you just have to figure out the 'ip http path' and add that to the router config.

--Jason

zvladov · ‎07-12-2010

Hello Jason,

I tried many different settings for the cdp-url, without any sucess.

The CA Router always returned "404 - Not found", because for some reason obviously

it couldn't serve the requested URL, although the file CA.CRL was there.

I did try to debug why was that happening, but eventually I realized I'd be better

to work around the problem than to solve it.

So, basically it is not a problem with the authentication I believe. It is a problem with

the SCEP/HTTP translation within the CIsco IOS, when it tries to get the CRL.

Best Regards

Z.V.