PIX 501 & certificate revocation list (crl) from microsoft ca
I have a test enviroment were I use smartcards with certificates issued by a microsoft (w2k) CA and Cisco vpn client 3.5.1 to log on to my network (active directory w2k). Everything works fine. However when I revoke certificates on my CA the client still can log on to the network through the vpn gateway (pix 501). So the pix doesn't get the crl?? or can't handle the crl?? Does anybody know how to configure the pix 501 so that it obtains the microsoft crl?????
I use the line:
ca configure acsserver ra 1 20 crloptional
in my config. When I remove crloptional the client can't log on to the network because the pix 501 reject the client.
Re: PIX 501 & certificate revocation list (crl) from microsoft c
Look on the client certificate and see if the certification revocation point is the same as you have set it up in the MS CA server. The pix would normally query the CA server for the crl via ldap, so you have to make sure the CRL is configured for LDAP publication on the MS CA server.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...