Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3235
Views
0
Helpful
8
Replies

VPN Client IPsec authentication using digital certificate

Go to solution
joshking1
Level 1
Level 1

‎09-12-2011 09:25 AM - edited ‎02-21-2020 05:34 PM

Hi,

Please I need some clarification and help with configuring my ASA 5540 with IOS 8.3x for remote client certificate authentication.

I have my root certificate from the Microsoft CA but not quite sure if the outlined steps in the cisco websites below are exactly what I need since the firewall seems to be generating the certificate to be used.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080930f21.shtml

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008073b12b.shtml

My setup is such that the CA will issue certificates to the remote clients and to the ASA firewall, and the remote clients will authenticate and connect with their certificates which the firewall constantly updates using the CRL update from the CA.

The dhcp pool is to be issued by the domain controller on the inside network and not on the firewall.

Any examples or best practise steps to achieve this will be really appreciated.

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Bastien Migette
Cisco Employee
Cisco Employee
In response to joshking1

‎09-13-2011 05:47 AM

Hi Josh,

Let me explain you briefly how PKI Auth is working:

In a PKI setup, devices do not trusts each other directly, but they trust a Certificate Authority, which is the one that issues certificate. We call this Root CA (there might be more complex setup where intermediate CA are involved, but that's another story). So when the Root CA issues a certificate, it signs it with its private key. To be able to verify this signature, one should have the CA Public key, which is included with the CA Certificate.

So for Certificate authentication, you have to create a trustpoint, which will define the parameters of the Root CA.

Then you will authenticate this trustpoint, which means basically you'll get the Root CA Certificate and store it locally.

After that, you enroll to that CA, which means you'll request (and get) your own certificate.

Other users will do the same, and will have the same Root CA Cert, but differente personnal (identity) certificates.

So what happen upon authentication is that both ends sends their certificate to the other, and they will use the public key contained in the root CA to validate the signature of the received certificate from remote peer. If the signature is correct, that means the Root CA actually issued this certificate, and that remote peer can be trusted (or not )

Hope this is clear.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
joshking1
Level 1
Level 1

‎09-13-2011 02:42 AM

The main reason for my question is because i am migrating from pre-shared keys to certificate authentication for remote vpn access and want to really understand the reason for some of the config steps like why two certificates are needed (root and identity).

Thanks

0 Helpful

Go to solution
Bastien Migette
Cisco Employee
Cisco Employee
In response to joshking1

‎09-13-2011 05:47 AM

Hi Josh,

Let me explain you briefly how PKI Auth is working:

In a PKI setup, devices do not trusts each other directly, but they trust a Certificate Authority, which is the one that issues certificate. We call this Root CA (there might be more complex setup where intermediate CA are involved, but that's another story). So when the Root CA issues a certificate, it signs it with its private key. To be able to verify this signature, one should have the CA Public key, which is included with the CA Certificate.

So for Certificate authentication, you have to create a trustpoint, which will define the parameters of the Root CA.

Then you will authenticate this trustpoint, which means basically you'll get the Root CA Certificate and store it locally.

After that, you enroll to that CA, which means you'll request (and get) your own certificate.

Other users will do the same, and will have the same Root CA Cert, but differente personnal (identity) certificates.

So what happen upon authentication is that both ends sends their certificate to the other, and they will use the public key contained in the root CA to validate the signature of the received certificate from remote peer. If the signature is correct, that means the Root CA actually issued this certificate, and that remote peer can be trusted (or not )

Hope this is clear.

0 Helpful

Go to solution
joshking1
Level 1
Level 1
In response to Bastien Migette

‎09-13-2011 05:58 AM

Thanks Bastien,

It all makes sense now because I wanted to understand why I had two different certificates and your explanation made it clearer for me.

Thanks

0 Helpful

Go to solution
Bastien Migette
Cisco Employee
Cisco Employee
In response to joshking1

‎09-13-2011 06:02 AM

I'm glad that it's more clear for you know. Good luck with the configuration then

0 Helpful

Go to solution
joshking1
Level 1
Level 1
In response to Bastien Migette

‎09-13-2011 06:08 AM

I will tell you how it goes once i migrate to the new ASA config....

Maybe I will have one or two more question that will need to be answered once more...

Thanks

0 Helpful

Go to solution
joshking1
Level 1
Level 1
In response to joshking1

‎09-14-2011 09:43 AM

Hi,

I am having problem importing the Identity Certificate as I keep getting the error message below

ERROR: Failed to parse or verify imported certificate

I am using a microsoft CA and have already remove and reauthenticate with the correct root CA  certificate several times but the error keeps coming back once I get to the final stage of manually importing the Identity certificate issued by the CA to the firewall.

I have also cleared the flash config and reconfigured my 5540 firewall twice but it is still not happening for me.

Please any help or ideas will be appreciated.

Also I am not sure if the active/passive setup I have at the moment could be affecting the certificate import process or should the firewall be online and talking to the CA before this process can be completed because I am configuring the 5540 offline before it goes into production in 2 days

Thanks

0 Helpful

Go to solution
Bastien Migette
Cisco Employee
Cisco Employee
In response to joshking1

‎09-14-2011 11:51 PM

Hi Josh,

How do you install the certificate on the ASA (which commands/steps).

Also, please share debug crypto ca transactions output, it should tell us what happens.

The easiest way to configure Cert from windows CA is to install MSCEP support on the Win server, then create trustpoint:

crypto ca trustpoint CAServer

  enrollment url http://CA-IP/certsrv/mscep/mscep.dll

then authenticate the CA:

crypto ca authenticate CAServer

then connect to

http://CA-IP/certsrv/mscep/ and get the one time password

after that enroll to the CA:

crypto ca enroll CAServer and type the OTP here.

You can also check an example using ASDM here:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008073b12b.shtml

0 Helpful

Go to solution
joshking1
Level 1
Level 1
In response to Bastien Migette

‎09-15-2011 01:06 AM

Thanks Bastien.

I have tried the debug crypto ca transactions and expected, it gives no output because the ASA is not on the network yet and not able to talk to the CA.

I followed the configuration guidelines for manual installation of the certificate shown here

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080930f21.shtml

The only problem is that my ASA 5540 is offline and so I manually imported the identity certificate from the CA and also the root CA. But considering that the lab used shows that the firewall has to be able to contact the CA,

I guess my config may not work until my firewall comes online and able to talk to the CA (instead of the manual copy and past process I am currently using to import the certificates at the moment). Is this correct?

If that is the case, then I will have to wait for the maintenance window to migrate to my new firewalls and then use the auto-enrollment process you listed above .

Thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents