Hi Piotr I just checked a downloaded certificate's usage from the ASA CA Server and it was signature type. Normally, the self signed certificates from webservers will have usage type of encryption and the public key will be used for encrypting the master key sent by the client to the server. The client side doesn't need an encryption usage certificate and only requires a certificate with signature usage.
With EAP, client also would only require certificate usage type of signature and hence, I think ASA CA server would be suffice. Just sharing my thought. Practically, I have not tried with EAP :-) I have one more query The downloaded certificate from the ASA CA server has public key and private key. Now, with ASA CA server we don't enroll by sending PKCS#10 which has the public key. Said with that, whose public and private key are present in the downloaded certificate. Does the ASA CA server create and add keys for each user? With regards Kings On Tue, Sep 6, 2011 at 12:58 PM, Piotr Matusiak <[email protected]> wrote: > Right, this is because ASA CA can only issue a certificate for SSL > purposes. You cannot use them in EAP I believe. > > > Regards, > Piotr > > > 2011/9/6 Kingsley Charles <[email protected]> > >> Piotr, >> >> Does it mean that the ASA CA server has been implemented as a >> complementary for it's own webvpn feature? ASA CA server can be also used to >> generate certificates for any users to authenticate with any other >> applications other than ASA WebVPN, isn't it? >> >> We need some web service for CA Service. In IOS, we use http server web >> service not webvpn. >> >> But in ASA, we don't use http service rather webvpn web service. >> >> Just wondering, why Cisco didn't use http server web service. If I need a >> CA Server alone for issuing identity certificates, why would I need to run >> WebVPN? >> >> For example, I need a certificate for EAP TLS or EAP FAST authentication, >> I just need a CA Server not WebVPN. >> >> With regards >> Kings >> >> >> On Tue, Sep 6, 2011 at 12:32 PM, Piotr Matusiak <[email protected]> wrote: >> >>> What's the ASA CA purpose? To give out certificate for SSL (clientless >>> and full client), right? In both cases you need webvpn to be enabled. >>> >>> >>> Regards, >>> Piotr >>> >>> >>> 2011/9/6 Kingsley Charles <[email protected]> >>> >>>> Hi Piotr >>>> >>>> Great, that made it work. >>>> >>>> But why do we need webvpn to be enabled? Is CA server embedded with >>>> WebVPN service? >>>> >>>> With regards >>>> Kings >>>> >>>> >>>> On Tue, Sep 6, 2011 at 11:33 AM, Piotr Matusiak <[email protected]> wrote: >>>> >>>>> Hi Kings, >>>>> >>>>> You need WebVPN to be enabled for that. >>>>> >>>>> Regards, >>>>> Piotr >>>>> >>>>> >>>>> >>>>> 2011/9/6 Kingsley Charles <[email protected]> >>>>> >>>>>> Hi Piotr >>>>>> >>>>>> I don't have webvpn configured? I get the same log message even when I >>>>>> use IP address. Do we need http server enabled? I tried enabling http >>>>>> server >>>>>> too and that didn't work for me. >>>>>> >>>>>> >>>>>> With regards >>>>>> Kings >>>>>> >>>>>> >>>>>> On Mon, Sep 5, 2011 at 8:26 PM, Piotr Matusiak <[email protected]>wrote: >>>>>> >>>>>>> Hi Kings, >>>>>>> >>>>>>> Did you enable webvpn on the outside? >>>>>>> You can connect using IP address as well. >>>>>>> >>>>>>> Regards, >>>>>>> Piotr >>>>>>> >>>>>>> 2011/9/5 Kingsley Charles <[email protected]> >>>>>>> >>>>>>>> Hi all >>>>>>>> >>>>>>>> I have configured the ASA for CA server and when I try to access the >>>>>>>> enrollment URL, I get the following logs: From the log reference for >>>>>>>> 710005, >>>>>>>> I think, the CA server service is not running. >>>>>>>> >>>>>>>> I am trying to access enrollment url using the host name >>>>>>>> https://asa2/+CSCOCA+/enroll.html and have defined hostname to IP >>>>>>>> address mapping in the host file. I remember, we can only access using >>>>>>>> hostname not IP address. >>>>>>>> >>>>>>>> Any thoughts? >>>>>>>> >>>>>>>> *Config* >>>>>>>> >>>>>>>> crypto ca server >>>>>>>> subject-name-default cn=ca >>>>>>>> smtp from-address [email protected] >>>>>>>> >>>>>>>> *Logs* >>>>>>>> >>>>>>>> %ASA-7-710005: TCP request discarded from 10.20.30.40/1750 to >>>>>>>> outside:10.20.30.43/443 >>>>>>>> %ASA-3-710003: TCP access denied by ACL from 10.20.30.40/1750 to >>>>>>>> outside:10.20.30.43/443 >>>>>>>> >>>>>>>> >>>>>>>> Snippet from >>>>>>>> http://www.cisco.com/en/US/docs/security/asa/asa71/system/message/logmsgs.html#wp1285746 >>>>>>>> 710005 >>>>>>>> >>>>>>>> Error Message %PIX|ASA-7-710005: {TCP|UDP} request discarded from >>>>>>>> *source_address/source_port* to *interface_name:dest_address/service* >>>>>>>> >>>>>>>> Explanation This message appears when the Cisco ASA does not >>>>>>>> have a UDP server that services the UDP request. The message can also >>>>>>>> indicate a TCP packet that does not belong to any session on the Cisco >>>>>>>> ASA . >>>>>>>> In addition, this message appears (with the service *snmp*) when >>>>>>>> the Cisco ASA receives an SNMP request with an empty payload, even if >>>>>>>> it is >>>>>>>> from an authorized host. When the service is *snmp*, this message >>>>>>>> occurs a maximum of 1 time every 10 seconds so that the log receiver >>>>>>>> is not >>>>>>>> overwhelmed. >>>>>>>> >>>>>>>> Recommended Action In networks that heavily utilize broadcasting >>>>>>>> services such as DHCP, RIP or NetBios, the frequency of this message >>>>>>>> can be >>>>>>>> high. If this message appears in excessive number, it may indicate an >>>>>>>> attack. >>>>>>>> >>>>>>>> >>>>>>>> With regards >>>>>>>> Kings >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> For more information regarding industry leading CCIE Lab training, >>>>>>>> please visit www.ipexpert.com >>>>>>>> >>>>>>>> Are you a CCNP or CCIE and looking for a job? Check out >>>>>>>> www.PlatinumPlacement.com >>>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
