I have IPSec RemoteAccess VPN with local EAP authentication up and running, but I want to additionally protect it with certificates. I guess, it is called "mutual authentication". I have several qustions at this point:
1) Can I use Local CA feature built-in in ASA to issue and manage certificates to IPSec Remote Access VPN. The point is, that the manual states that "The local CA provides a certificate authority on the adaptive security appliance for use with SSL VPN connections, both browser- and client-based" and I've been wondering if it means that Local CA is not suitable for IPSec VPNs and I would have to use an external CA. Is it correct?
2) I've tried to enable Local CA at ASA. When I got an enrollment link which is I guess used to get the identity sertificate from CA, I clicked on the link https://x.x.x.x/+CSCOCA+/enroll.html and got a login request. I tried to log in with user credentials used to issue an indentity sertificate (username and password) but got the login screen back. I was able to process further only with ASA administrator credentials, not certificate user ones. But even when I logged into this link with ASA administrator account details I got 404 error stated that "The requested URL /admin/ CSCOCA /enroll.html was not found on this server." If not sure if I am doing all coreectly, so please point me on what I am doing wrong.
3) If there is no way to get Local CA working (or Local CA is not suitable for IPSec-based RemoteAccess VPNs) I can generate CA and identity certificates on exterlan CA host (Linux based). Then I can import CA root and identity certificates both on ASA and clients and hopefully get it up and running. BUT! How would I control revocation of the certificates made on external CA? Potentially, I would have CRL from external CA, bu I have no adea how to attach it to ASA to let it know that particular certicates has been revoced (like when employee fired or smth and shoud not be anymore allowed to access VPN)
Yes (technically speaking) local CA can be used to authenticate IPsec peers, but it requires a bit more effort, and as far as I understand is not officially supported since it was never meant to work together.
The credentials you're supposed to use when enrolling to Local CA some in an email ASA sends, that's why it's a required step to configure SMTP.
Btw, regarding credentials I've tried to enter while I was getting identity certificate from Local CA - yes, I've tried to enter the ones I got from enrollment letter (meaning I did have SMTP details configured). But it hasn't been succeed. I wasn't able to login with details from enrollment e-mail, only with local username and password that ut used to access ASDM\console.
Maybe I missed something with CRL but I thought that the ASA side should have this to control which remote certificate is allowed to login. Lets say I have an external CA, I have CRL on it and can revoke and issue identity certificates for remote end. Revocation list is stored on external CA. At ASA intself I have only root CA certificate and ASA's identity certificate. At the remote site a have root CA certificate and client's identity certificate. I just don't understand for ASA would guess if for example particular certificate has been revoked if this information is stored at external CA and there is no way (at least I haven't been able to find any configration field for it in ASDM) to point ASA to this CRL file to make it aware of these operations.
Sorry, if I am asking about some well-known stuff.
I have this same problem, and did what you suggested, but, from the debug,
HTTP: file not found: CSCOCA /enroll.html
Totaly lost on this one. It worked at first, then I had an issue with hte wrong certificate, removed the configuration, and reloaded the ASA with a pre ca server configuration, and reapplied the ca server setup and now get the 404 not found.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :