Right, this is because ASA CA can only issue a certificate for SSL purposes. You cannot use them in EAP I believe.
Regards, Piotr 2011/9/6 Kingsley Charles <[email protected]> > Piotr, > > Does it mean that the ASA CA server has been implemented as a complementary > for it's own webvpn feature? ASA CA server can be also used to generate > certificates for any users to authenticate with any other applications other > than ASA WebVPN, isn't it? > > We need some web service for CA Service. In IOS, we use http server web > service not webvpn. > > But in ASA, we don't use http service rather webvpn web service. > > Just wondering, why Cisco didn't use http server web service. If I need a > CA Server alone for issuing identity certificates, why would I need to run > WebVPN? > > For example, I need a certificate for EAP TLS or EAP FAST authentication, I > just need a CA Server not WebVPN. > > With regards > Kings > > > On Tue, Sep 6, 2011 at 12:32 PM, Piotr Matusiak <[email protected]> wrote: > >> What's the ASA CA purpose? To give out certificate for SSL (clientless and >> full client), right? In both cases you need webvpn to be enabled. >> >> >> Regards, >> Piotr >> >> >> 2011/9/6 Kingsley Charles <[email protected]> >> >>> Hi Piotr >>> >>> Great, that made it work. >>> >>> But why do we need webvpn to be enabled? Is CA server embedded with >>> WebVPN service? >>> >>> With regards >>> Kings >>> >>> >>> On Tue, Sep 6, 2011 at 11:33 AM, Piotr Matusiak <[email protected]> wrote: >>> >>>> Hi Kings, >>>> >>>> You need WebVPN to be enabled for that. >>>> >>>> Regards, >>>> Piotr >>>> >>>> >>>> >>>> 2011/9/6 Kingsley Charles <[email protected]> >>>> >>>>> Hi Piotr >>>>> >>>>> I don't have webvpn configured? I get the same log message even when I >>>>> use IP address. Do we need http server enabled? I tried enabling http >>>>> server >>>>> too and that didn't work for me. >>>>> >>>>> >>>>> With regards >>>>> Kings >>>>> >>>>> >>>>> On Mon, Sep 5, 2011 at 8:26 PM, Piotr Matusiak <[email protected]> wrote: >>>>> >>>>>> Hi Kings, >>>>>> >>>>>> Did you enable webvpn on the outside? >>>>>> You can connect using IP address as well. >>>>>> >>>>>> Regards, >>>>>> Piotr >>>>>> >>>>>> 2011/9/5 Kingsley Charles <[email protected]> >>>>>> >>>>>>> Hi all >>>>>>> >>>>>>> I have configured the ASA for CA server and when I try to access the >>>>>>> enrollment URL, I get the following logs: From the log reference for >>>>>>> 710005, >>>>>>> I think, the CA server service is not running. >>>>>>> >>>>>>> I am trying to access enrollment url using the host name >>>>>>> https://asa2/+CSCOCA+/enroll.html and have defined hostname to IP >>>>>>> address mapping in the host file. I remember, we can only access using >>>>>>> hostname not IP address. >>>>>>> >>>>>>> Any thoughts? >>>>>>> >>>>>>> *Config* >>>>>>> >>>>>>> crypto ca server >>>>>>> subject-name-default cn=ca >>>>>>> smtp from-address [email protected] >>>>>>> >>>>>>> *Logs* >>>>>>> >>>>>>> %ASA-7-710005: TCP request discarded from 10.20.30.40/1750 to >>>>>>> outside:10.20.30.43/443 >>>>>>> %ASA-3-710003: TCP access denied by ACL from 10.20.30.40/1750 to >>>>>>> outside:10.20.30.43/443 >>>>>>> >>>>>>> >>>>>>> Snippet from >>>>>>> http://www.cisco.com/en/US/docs/security/asa/asa71/system/message/logmsgs.html#wp1285746 >>>>>>> 710005 >>>>>>> >>>>>>> Error Message %PIX|ASA-7-710005: {TCP|UDP} request discarded from >>>>>>> *source_address/source_port* to *interface_name:dest_address/service* >>>>>>> >>>>>>> Explanation This message appears when the Cisco ASA does not have >>>>>>> a UDP server that services the UDP request. The message can also >>>>>>> indicate a >>>>>>> TCP packet that does not belong to any session on the Cisco ASA . In >>>>>>> addition, this message appears (with the service *snmp*) when the >>>>>>> Cisco ASA receives an SNMP request with an empty payload, even if it is >>>>>>> from >>>>>>> an authorized host. When the service is *snmp*, this message occurs >>>>>>> a maximum of 1 time every 10 seconds so that the log receiver is not >>>>>>> overwhelmed. >>>>>>> >>>>>>> Recommended Action In networks that heavily utilize broadcasting >>>>>>> services such as DHCP, RIP or NetBios, the frequency of this message >>>>>>> can be >>>>>>> high. If this message appears in excessive number, it may indicate an >>>>>>> attack. >>>>>>> >>>>>>> >>>>>>> With regards >>>>>>> Kings >>>>>>> >>>>>>> _______________________________________________ >>>>>>> For more information regarding industry leading CCIE Lab training, >>>>>>> please visit www.ipexpert.com >>>>>>> >>>>>>> Are you a CCNP or CCIE and looking for a job? Check out >>>>>>> www.PlatinumPlacement.com >>>>>>> >>>>>> >>>>>> >>>>> >>>> >>> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
