Hi all People who used Windows CA server can remember that there is an option for the Windows CA server to generate an one time password which should be supplied by the client while enrollment. If the client provides a wrong password, the enrollment request is rejected.
The password will be prompted as following: router1(config)#crypto ca enroll cisco % % Start certificate enrollment .. % Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate. For security reasons your password will not be saved in the configuration. Please make a note of it. Password: When we enroll with an IOS CA server, we give a random password and it is accepted. While revoking the certificate using the "crypto pki server cisco revoke" command on the CA server, I am not prompted for the password and the IOS CA server simply revokes the certificate. http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_c5.html#wp1045086 The IOS also option for generating an OTP to challenge the client user while enrolling. The following snippet claims that the IOS CA server supports manual and preshared key authentication. But I don't see an option to configure in the IOS for this *crypto pki server **cs-label *password generate [*minutes*] Snippet from http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_c5.html#wp1045086 Usage Guidelines SCEP, which is the only supported enrollment protocol, supports two client authentication mechanisms—manual and preshared key. Manual enrollment requires the administrator at the certification authority (CA) server to specifically authorize the enrollment requests; enrollment using preshared keys allows the administrator to preauthorize enrollment requests by generating a one-time password. I am not able to connect OTP with the ones that I have mentioned above. With regards Kings
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
