Cisco Support Community
Community Member

VPN 3000 and VPN Client with Windows 2000 Certification Auhority

I have a customer which is going to change his current VPN Access with a Cisco 3030 Concentrator.

Currently he is implementing Remote Access VPNs (about 300 tunnels) and, to authenticate users he uses digital certificates generated by the current VPN device internal Certification Authority and subsequently deployed on the clients

He would like to maintain, digital certificates' approach with the new Cisco Solution, but unfortunately the same thing will not probably be feasible with the Cisco solution, since it is not provided wih an internal CA as the current competitor's product.

However, the customer uses a WIndows 2K infrastructure, so a possible solution could be to use Windows 2K Certification Authority in order to generate certificates for the Concentrator and for the clients, and subsequently to deploy them, this is slightly different from the current configuration since the VPN 3000 Concentrator uses digital certificates only for the key exchange and not to authenticate users, however could allow the customer to maintain the same approach currently deployed.

According to you all, is this approach correct (and of course feasible ?). Is there someone who happened to implement such a similar configuration and could give some hint ? Have you got some useful documentation ?

I already gave a look to Cisco VPN documentation, but did not find anything interesting except a document indicating how to configure the VPN Concentrator in order to work with Digital Certificates.

Thanks in advance for your availability and for the patience in reading the whole message.

Community Member

Re: VPN 3000 and VPN Client with Windows 2000 Certification Auho

You can set up a W2K server as a CA and point the Concentrator to it to do check the CRL. You have to make sure that CRL is not filtered on the interface where the CA is located. The W2K server has to be an AD domain controller because the Concentrator does an LDAP lookup (this might have changed in more recent versions. We use 3.5.2).

You could point authentication to the domain or a RADIUS server so at least the users could use an account they are probably already familiar with.

Community Member

Re: VPN 3000 and VPN Client with Windows 2000 Certification Auho


Thank you very much for your answer.

Only a small question. If I am not wrong the CA, that is the AD domain controller, must contain the certificates for all the clients (that is the user), is it correct ?

Thanks again for your availability.

Community Member

Re: VPN 3000 and VPN Client with Windows 2000 Certification Auho

Your clients will need to enroll and get certificates from the CA server. The server will only store that it has issued one. From there the server will have the option to revoke said certificates. But you must get certificates on the client from the server itself. There is no automation when connecting to the concentrator that you get a cert from it.

Kurtis Durrett

CreatePlease to create content