VPN Client IPsec authentication using digital certificate

Answered Question
Sep 12th, 2011

Hi,

Please I need some clarification and help with configuring my ASA 5540 with IOS 8.3x for remote client certificate authentication.

I have my root certificate from the Microsoft CA but not quite sure if the outlined steps in the cisco websites below are exactly what I need since the firewall seems to be generating the certificate to be used.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080930f21.shtml

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008073b12b.shtml

My setup is such that the CA will issue certificates to the remote clients and to the ASA firewall, and the remote clients will authenticate and connect with their certificates which the firewall constantly updates using the CRL update from the CA.

The dhcp pool is to be issued by the domain controller on the inside network and not on the firewall.

Any examples or best practise steps to achieve this will be really appreciated.

Thanks

I have this problem too.
0 votes
Correct Answer by bmigette about 2 years 7 months ago

Hi Josh,

Let me explain you briefly how PKI Auth is working:

In a PKI setup, devices do not trusts each other directly, but they trust a Certificate Authority, which is the one that issues certificate. We call this Root CA (there might be more complex setup where intermediate CA are involved, but that's another story). So when the Root CA issues a certificate, it signs it with its private key. To be able to verify this signature, one should have the CA Public key, which is included with the CA Certificate.

So for Certificate authentication, you have to create a trustpoint, which will define the parameters of the Root CA.

Then you will authenticate this trustpoint, which means basically you'll get the Root CA Certificate and store it locally.

After that, you enroll to that CA, which means you'll request (and get) your own certificate.

Other users will do the same, and will have the same Root CA Cert, but differente personnal (identity) certificates.

So what happen upon authentication is that both ends sends their certificate to the other, and they will use the public key contained in the root CA to validate the signature of the received certificate from remote peer. If the signature is correct, that means the Root CA actually issued this certificate, and that remote peer can be trusted (or not )

Hope this is clear.

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
joshking1 Tue, 09/13/2011 - 02:42

The main reason for my question is because i am migrating from pre-shared keys to certificate authentication for remote vpn access and want to really understand the reason for some of the config steps like why two certificates are needed (root and identity).

Thanks

Correct Answer
bmigette Tue, 09/13/2011 - 05:47

Hi Josh,

Let me explain you briefly how PKI Auth is working:

In a PKI setup, devices do not trusts each other directly, but they trust a Certificate Authority, which is the one that issues certificate. We call this Root CA (there might be more complex setup where intermediate CA are involved, but that's another story). So when the Root CA issues a certificate, it signs it with its private key. To be able to verify this signature, one should have the CA Public key, which is included with the CA Certificate.

So for Certificate authentication, you have to create a trustpoint, which will define the parameters of the Root CA.

Then you will authenticate this trustpoint, which means basically you'll get the Root CA Certificate and store it locally.

After that, you enroll to that CA, which means you'll request (and get) your own certificate.

Other users will do the same, and will have the same Root CA Cert, but differente personnal (identity) certificates.

So what happen upon authentication is that both ends sends their certificate to the other, and they will use the public key contained in the root CA to validate the signature of the received certificate from remote peer. If the signature is correct, that means the Root CA actually issued this certificate, and that remote peer can be trusted (or not )

Hope this is clear.

joshking1 Tue, 09/13/2011 - 05:58

Thanks Bastien,

It all makes sense now because I wanted to understand why I had two different certificates and your explanation made it clearer for me.

Thanks

bmigette Tue, 09/13/2011 - 06:02

I'm glad that it's more clear for you know. Good luck with the configuration then

joshking1 Tue, 09/13/2011 - 06:08

I will tell you how it goes once i migrate to the new ASA config....

Maybe I will have one or two more question that will need to be answered once more...

Thanks

joshking1 Wed, 09/14/2011 - 09:43

Hi,

I am having problem importing the Identity Certificate as I keep getting the error message below

ERROR: Failed to parse or verify imported certificate

I am using a microsoft CA and have already remove and reauthenticate with the correct root CA  certificate several times but the error keeps coming back once I get to the final stage of manually importing the Identity certificate issued by the CA to the firewall.

I have also cleared the flash config and reconfigured my 5540 firewall twice but it is still not happening for me.

Please any help or ideas will be appreciated.

Also I am not sure if the active/passive setup I have at the moment could be affecting the certificate import process or should the firewall be online and talking to the CA before this process can be completed because I am configuring the 5540 offline before it goes into production in 2 days

Thanks

bmigette Wed, 09/14/2011 - 23:51

Hi Josh,

How do you install the certificate on the ASA (which commands/steps).

Also, please share debug crypto ca transactions output, it should tell us what happens.

The easiest way to configure Cert from windows CA is to install MSCEP support on the Win server, then create trustpoint:

crypto ca trustpoint CAServer

  enrollment url http://CA-IP/certsrv/mscep/mscep.dll

then authenticate the CA:

crypto ca authenticate CAServer

then connect to

http://CA-IP/certsrv/mscep/ and get the one time password

after that enroll to the CA:

crypto ca enroll CAServer and type the OTP here.

You can also check an example using ASDM here:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008073b12b.shtml

joshking1 Thu, 09/15/2011 - 01:06

Thanks Bastien.

I have tried the debug crypto ca transactions and expected, it gives no output because the ASA is not on the network yet and not able to talk to the CA.

I followed the configuration guidelines for manual installation of the certificate shown here

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080930f21.shtml

The only problem is that my ASA 5540 is offline and so I manually imported the identity certificate from the CA and also the root CA. But considering that the lab used shows that the firewall has to be able to contact the CA,

I guess my config may not work until my firewall comes online and able to talk to the CA (instead of the manual copy and past process I am currently using to import the certificates at the moment). Is this correct?

If that is the case, then I will have to wait for the maintenance window to migrate to my new firewalls and then use the auto-enrollment process you listed above .

Thanks

Actions

Login or Register to take actions

This Discussion

Posted September 12, 2011 at 9:25 AM
Stats:
Replies:8 Avg. Rating:5
Views:1123 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard