Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
590
Views
0
Helpful
3
Replies

Pix 515E and NT4 certificate server problem...

Steve M.
Level 1
Level 1

‎12-27-2002 09:31 AM - edited ‎02-20-2020 10:27 PM

Hi all,

I'm trying to setup a *simple* Windows to Pix VPN connection. Rather than have each client download the VPN Client (on a dialup connection, this could take quite a while and if I'm supposed to dial-in and fix something NOW, that wouldn't work), I'm trying to get it setup to support the built-in Windows VPN features.

I have the VPN working using a pre-shared key. XP supports this rather easily, but with 2k it's a pain to use a pre-shared key (you have to configure it through MMC, etc.). To bypass all of this, I'm attempting to configure the Pix to use a certificate rather than a pre-shared key.

The only directions I've been able to find so far reference using the certificate server with Windows 2k, not the one with NT4. Is there a way to use the certificate server with NT4 or am I fighting a hopeless cause?

I've followed the directions given at http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v53/ipsec/excas.htm#51035 but get the following error on the Pix:

Pix(config)# ca identity VPNClients 10.1.5.3:/certsrv/mscep/mscep.dll

Pix(config)# ca authenticate VPNClients

msgsym(GETCARACERT, CRYPTO)!

%Error in connection to Certificate Authority: status = FAIL

I've looked on the NT4 server and the certsrv directory exists but there's no mscep directory and no dll by that name. Is there a way to communicate with NT4's certificate server from the Pix?

Thank you in advance for your time and help,

Tim C

0 Helpful
3 Replies 3

gfullage
Cisco Employee
Cisco Employee

‎12-28-2002 09:58 PM

The MSCEP stuff comes as a separate DLL to be installed, even with the 2K CA server. It's included in the Win2K Resource Kit, s onot sure if it'll install on a NT4.0 server, can't say I've ever tried.

If you can't find the DLL, search for it in google, it's available in various places around the trapd, although funnily enough, it doesn't seem to be on MS's web site. If you still can't find it and can wait till next week, I can email you a copy of it off-line (I'm currently at home and don't have access to my server).

Once the DLL is installed you should be able to browse to the URL just from a browser and you'll get a certificate fingerprint. Until you can get that the PIX won't be able to download the cert properly.

Also make sure you set the enrollment mode to RA.

0 Helpful

Steve M.
Level 1
Level 1
In response to gfullage

‎12-30-2002 08:49 AM

Thank you for your response! I'm not sure that the MSCEP would work on NT4, but I'm willing to try it! I've looked on the net, but like you said, Microsoft doesn't have it on their site (there are lots of references to the Corporate Update site, but they removed that site). Could you send me the file(s) needed to install and make MSCEP work? The preferred email address is tclegg@ovhd.com.

Thank you for your help,

Tim C

0 Helpful

Steve M.
Level 1
Level 1
In response to gfullage

‎12-30-2002 10:09 AM

I found the SCEP on Yahoo! Group cciesecurity and tried installing it on NT4, but it wouldn't fully load. Are there any other ways of getting the Pix to get a certificate with NT4? Moving to W2k isn't really an option at this point with our certificate server.

Thank you for your help,

Tim C

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card