HI Piotr As you said, the ASA CA Server is meant only for it's sslvpn user authentication
Snippet from http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cert_cfg.html#wp1067484 The Local CA The Local Certificate Authority (Local CA) performs the following tasks: •Integrates basic certificate authority functionality on the security appliance. •Deploys certificates. •Provides secure revocation checking of issued certificates. •Provides a certificate authority on the adaptive security appliance for use with SSL VPN connections, both browser- and client-based. •Provides trusted digital certificates to users, without the need to rely on external certificate authorization. •Provides a secure in-house authority for certificate authentication and offers straightforward user enrollment by means of a browser web page login. With regards Kings On Tue, Sep 6, 2011 at 1:11 PM, Kingsley Charles <[email protected] > wrote: > Hi Piotr > > I just checked a downloaded certificate's usage from the ASA CA Server and > it was signature type. Normally, the self signed certificates from > webservers will have usage type of encryption and the public key will be > used for encrypting the master key sent by the client to the server. The > client side doesn't need an encryption usage certificate and only requires a > certificate with signature usage. > > With EAP, client also would only require certificate usage type of > signature and hence, I think ASA CA server would be suffice. > > Just sharing my thought. Practically, I have not tried with EAP :-) > > > I have one more query > > The downloaded certificate from the ASA CA server has public key and > private key. Now, with ASA CA server we don't enroll by sending PKCS#10 > which has the public key. > > Said with that, whose public and private key are present in the downloaded > certificate. Does the ASA CA server create and add keys for each user? > > With regards > Kings > > > On Tue, Sep 6, 2011 at 12:58 PM, Piotr Matusiak <[email protected]> wrote: > >> Right, this is because ASA CA can only issue a certificate for SSL >> purposes. You cannot use them in EAP I believe. >> >> >> Regards, >> Piotr >> >> >> 2011/9/6 Kingsley Charles <[email protected]> >> >>> Piotr, >>> >>> Does it mean that the ASA CA server has been implemented as a >>> complementary for it's own webvpn feature? ASA CA server can be also used to >>> generate certificates for any users to authenticate with any other >>> applications other than ASA WebVPN, isn't it? >>> >>> We need some web service for CA Service. In IOS, we use http server web >>> service not webvpn. >>> >>> But in ASA, we don't use http service rather webvpn web service. >>> >>> Just wondering, why Cisco didn't use http server web service. If I need a >>> CA Server alone for issuing identity certificates, why would I need to run >>> WebVPN? >>> >>> For example, I need a certificate for EAP TLS or EAP FAST authentication, >>> I just need a CA Server not WebVPN. >>> >>> With regards >>> Kings >>> >>> >>> On Tue, Sep 6, 2011 at 12:32 PM, Piotr Matusiak <[email protected]> wrote: >>> >>>> What's the ASA CA purpose? To give out certificate for SSL (clientless >>>> and full client), right? In both cases you need webvpn to be enabled. >>>> >>>> >>>> Regards, >>>> Piotr >>>> >>>> >>>> 2011/9/6 Kingsley Charles <[email protected]> >>>> >>>>> Hi Piotr >>>>> >>>>> Great, that made it work. >>>>> >>>>> But why do we need webvpn to be enabled? Is CA server embedded with >>>>> WebVPN service? >>>>> >>>>> With regards >>>>> Kings >>>>> >>>>> >>>>> On Tue, Sep 6, 2011 at 11:33 AM, Piotr Matusiak <[email protected]>wrote: >>>>> >>>>>> Hi Kings, >>>>>> >>>>>> You need WebVPN to be enabled for that. >>>>>> >>>>>> Regards, >>>>>> Piotr >>>>>> >>>>>> >>>>>> >>>>>> 2011/9/6 Kingsley Charles <[email protected]> >>>>>> >>>>>>> Hi Piotr >>>>>>> >>>>>>> I don't have webvpn configured? I get the same log message even when >>>>>>> I use IP address. Do we need http server enabled? I tried enabling http >>>>>>> server too and that didn't work for me. >>>>>>> >>>>>>> >>>>>>> With regards >>>>>>> Kings >>>>>>> >>>>>>> >>>>>>> On Mon, Sep 5, 2011 at 8:26 PM, Piotr Matusiak <[email protected]>wrote: >>>>>>> >>>>>>>> Hi Kings, >>>>>>>> >>>>>>>> Did you enable webvpn on the outside? >>>>>>>> You can connect using IP address as well. >>>>>>>> >>>>>>>> Regards, >>>>>>>> Piotr >>>>>>>> >>>>>>>> 2011/9/5 Kingsley Charles <[email protected]> >>>>>>>> >>>>>>>>> Hi all >>>>>>>>> >>>>>>>>> I have configured the ASA for CA server and when I try to access >>>>>>>>> the enrollment URL, I get the following logs: From the log reference >>>>>>>>> for >>>>>>>>> 710005, I think, the CA server service is not running. >>>>>>>>> >>>>>>>>> I am trying to access enrollment url using the host name >>>>>>>>> https://asa2/+CSCOCA+/enroll.html and have defined hostname to IP >>>>>>>>> address mapping in the host file. I remember, we can only access using >>>>>>>>> hostname not IP address. >>>>>>>>> >>>>>>>>> Any thoughts? >>>>>>>>> >>>>>>>>> *Config* >>>>>>>>> >>>>>>>>> crypto ca server >>>>>>>>> subject-name-default cn=ca >>>>>>>>> smtp from-address [email protected] >>>>>>>>> >>>>>>>>> *Logs* >>>>>>>>> >>>>>>>>> %ASA-7-710005: TCP request discarded from 10.20.30.40/1750 to >>>>>>>>> outside:10.20.30.43/443 >>>>>>>>> %ASA-3-710003: TCP access denied by ACL from 10.20.30.40/1750 to >>>>>>>>> outside:10.20.30.43/443 >>>>>>>>> >>>>>>>>> >>>>>>>>> Snippet from >>>>>>>>> http://www.cisco.com/en/US/docs/security/asa/asa71/system/message/logmsgs.html#wp1285746 >>>>>>>>> 710005 >>>>>>>>> >>>>>>>>> Error Message %PIX|ASA-7-710005: {TCP|UDP} request discarded from >>>>>>>>> *source_address/source_port* to *interface_name:dest_address/service* >>>>>>>>> >>>>>>>>> Explanation This message appears when the Cisco ASA does not >>>>>>>>> have a UDP server that services the UDP request. The message can also >>>>>>>>> indicate a TCP packet that does not belong to any session on the >>>>>>>>> Cisco ASA . >>>>>>>>> In addition, this message appears (with the service *snmp*) when >>>>>>>>> the Cisco ASA receives an SNMP request with an empty payload, even if >>>>>>>>> it is >>>>>>>>> from an authorized host. When the service is *snmp*, this message >>>>>>>>> occurs a maximum of 1 time every 10 seconds so that the log receiver >>>>>>>>> is not >>>>>>>>> overwhelmed. >>>>>>>>> >>>>>>>>> Recommended Action In networks that heavily utilize >>>>>>>>> broadcasting services such as DHCP, RIP or NetBios, the frequency of >>>>>>>>> this >>>>>>>>> message can be high. If this message appears in excessive number, it >>>>>>>>> may >>>>>>>>> indicate an attack. >>>>>>>>> >>>>>>>>> >>>>>>>>> With regards >>>>>>>>> Kings >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> For more information regarding industry leading CCIE Lab training, >>>>>>>>> please visit www.ipexpert.com >>>>>>>>> >>>>>>>>> Are you a CCNP or CCIE and looking for a job? Check out >>>>>>>>> www.PlatinumPlacement.com >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
