Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
766
Views
0
Helpful
4
Replies

Microsoft Certificate Authority and Ciso vpn client

kjanakiraman
Level 1
Level 1

‎03-23-2004 10:46 PM - edited ‎02-21-2020 01:05 PM

I installed and configured microsoft certificate authority and configured the cisco pix firewall to get the certificate from the server. From a remote system i browsed the ceritificate authority and installed the certificate on the system. But when i try to connect to the Cisco firewall through vpn i am not getting connected. In the debug command i am seeing that the cisco pix tried 8 times and error message says "atts is not acceptable" Can some one guide me to any link which tells the step by step configuration for this problem.

Thanks in Advance

Labels:
0 Helpful
4 Replies 4

drolemc
Level 6
Level 6

‎03-29-2004 02:30 PM

The error "attributes are not acceptable" indiate a possible problem with the basic configuration. Please check to see if the attributes (transform sets etc) match on both the ends.

0 Helpful

kjanakiraman
Level 1
Level 1
In response to drolemc

‎03-30-2004 02:11 AM

My Pix outside ip address is x.x.x.x1 and Certificate authority server is mapped to x.x.x.x2. I configured the Cisco Pix exactly the way the website says like

ca generate rsa 512

ca identity nickname 192.168.20.5:/certsrv/mscep/mscep.dll

ca configure nickname ra 1 20 crloptional

ca authenticate nickname

ca enrol nickname 192.168.20.5(Server ip address)

I mapped 192.168.20.5 for x.x.x.x1 and opened port 80 for the same.

From the client system i gave http://x.x.x.x2/certsrv

and in the advanced request i chose "Submit the Certificate request using CA form" and in the next screen the intended purpose was "Client Authentication purpose" and CSP "Microsoft Base Cryptographic Provider v1.0" and i installed the certificate on the local system.

Now in the Cisco VPN client 4.2 Insead of Group authentication i chose Certificate and selected the installed certificate. Now when i try to connect after ipsec intialization it is trying to connect to x.x.x.x2 which is the CA Server and getting error could not connect. Is there anything i need to do? What should be authentication in pix? Should it be pre-share or rsa-sig? What should be crypto map set be ?

Thanks in Advance

0 Helpful

aacole
Level 5
Level 5
In response to kjanakiraman

‎03-31-2004 03:01 AM

I would recommend that before trying to use the certificates, set the connection up for a basic pre-shared key.

This way you can check out the basic ISAKMP and IPSec configuration, I agree with the previous post that indicates this is where the problem is.

0 Helpful

kjanakiraman
Level 1
Level 1
In response to aacole

‎03-31-2004 04:29 AM

I tried with out certificate and basic setup with radius authentication and it worked fine. Should i remove radius authentication for certificates?

Thanks

0 Helpful
Customers Also Viewed These Support Documents