Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Clientless Authentication Using an External CA

Hi there:

I'm trying to configure a clientless authentication using certificates issued by my own CA but I can't

I get a certificate validation failure
I was searching for a configuration guide but I can't found it

I enrolled the ASA with the CA and assigned the certificate to outside
I enrolled the user to CA

I configured the connection profile to certificate authentication method
I configured the certificate map connection profile to OU field in the certificate
I begin to suspect this is not a valid design unless the ASA is the CA
Can somebody confirm if I can authenticate my users using SSL VPN with cerificates from an external CA?

Someone know a configuration guide to do it?

Thank you in advance

Al

Everyone's tags (4)
2 REPLIES
VIP Purple

Clientless Authentication Using an External CA

You also can use an external CA. Thats also the common way as the local CA can't be used in Failover-Scenarios.

Start with the configuration-guides on certificates:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/access_certs.html

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/vpn_clientless_ssl.html

--

Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Re: Clientless Authentication Using an External CA

Thank you Iwen

Finally I found the problem

You need to enroll the user certificate across the ASA (ASA as proxy)

If you try to make the enrollment directly to CA the certificates are different

the DC at left is the result of direct enrollment and doesn't work

the DC at right is the right one

Thank you very much

Al

222
Views
0
Helpful
2
Replies