Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Digital certificates in VPN 3000

Is it possible to use digital certificates to communicate a cisco vpn client 4.0 to a vpn 3000, using ACS (radius) for authentication? If yes, could anyone tell me what to configure in ACS?! I look for this in the net but I find just the configuration of vpn 3000 being it the auth server.

5 REPLIES
Community Member

Re: Digital certificates in VPN 3000

If you only plan to use Authentication (No Authorization) then you don't need to configure anything on the ACS Server. Everything remains the same as Pre-Shared keys\group Password and user will be prompted for username\password (X-AUTH) after certifiacte verification.

VPN 3000 extracts the group_name from the Certificate "OU" field by default unless you define "Group matching" rules, which give you the option to use other certificate fields for Group assignment.

Regards \\ Naman

Community Member

Re: Digital certificates in VPN 3000

Another question: the certificate i'm using to test has 2 fields "OU" with 2 unequal names. i have to include both in the group matching rule?!

if i use acs for my aaa server, then my auth would be in it, right? i'm planning in do my auth in a domain group in microsoft ad... so, i create a group in vpn3000, another in acs matching with one of vpn3000, and one or more in ad matching with this in acs, right?! in this case, i have to configure something different in acs?

thanks

Community Member

Re: Digital certificates in VPN 3000

i had a following error during a test with my certificate from ca caixa in vpn3000:

"18832 10/14/2005 18:21:10.090 SEV=3 CAPI/26 RPT=15

CAPI - RSA PKCS1 payload to be decrypted is not in PKCS1 format, bad block type

= [0x1a][0x8]

18834 10/14/2005 18:21:10.090 SEV=3 CERT/9 RPT=15

Certificate (serial number: XXXXXXX) failed validation

Reason: Invalid signature

18836 10/14/2005 18:21:10.090 SEV=4 CERT/3 RPT=15

Certificate is invalid: Invalid signature"

could somebody help me to solve this issue? i had a look in cisco's doc which tells to reinstall the ssl certificate in vpn3000 to solve this problem. it sounds really strange to me...

thanks for replies

Community Member

Re: Digital certificates in VPN 3000

Is the VPN Concentrator Certificate and User certificate issued by the same CA ?

If not, then is the Root CA for User Certificates installed as the trusted CA on VPN 3000 ?

\\ Naman

Community Member

Re: Digital certificates in VPN 3000

Naman, thanks for your reply...

the certs in my work has this chain, that is installed in vpn client and vpn 3000:

ca root

ca caixa

ca caixa pf

the identity cert of vpn 3000 has this chain, that is installed in the equipament as ca certs:

ca root

ca caixa

ca caixa in

so, the vpn 3000 cert has to have ca caixa pf as issuer, like the others? or could it be issued by ca caixa directly?

199
Views
0
Helpful
5
Replies
CreatePlease to create content