I did some investigation and based upon the debugs and documentation, the following is how the authentication happens for SSLVPN with clients.
1)The user is added to the ASA CA Server user db and an OTP is generated. 2)The user https://IP address/+CSCOCA+/enroll.html<https://asa2/+CSCOCA+/enroll.html>and enters the username/OTP. 3)The user downloads the certificate. 4)The user now logins into the SSLVPN portal and sends the certificate for authentication. 5)The ASA uses the Local CA server trustpoint to validate the signature. The downloaded/sent certificate signature is signed by the CA Server's private key. When the ASA gets the certificate from the user for sslvpn authenticate, it generates the hash of the certificate. The signature from the certificate is decrypted using the CA Server public key and now both hash are compared. If they are same, then authentication passes. If I am missing something, please let me know. Now, one question is still not answered for me. Why does the ASA CA server put a public and private key in the user's certificate? What is the purpose of those keys? With regards Kings On Tue, Sep 6, 2011 at 1:27 PM, Kingsley Charles <[email protected] > wrote: > HI Piotr > > As you said, the ASA CA Server is meant only for it's sslvpn user > authentication > > Snippet from > http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cert_cfg.html#wp1067484 > The Local CA > > The Local Certificate Authority (Local CA) performs the following tasks: > > •Integrates basic certificate authority functionality on the security > appliance. > > •Deploys certificates. > > •Provides secure revocation checking of issued certificates. > > •Provides a certificate authority on the adaptive security appliance for > use with SSL VPN connections, both browser- and client-based. > > •Provides trusted digital certificates to users, without the need to rely > on external certificate authorization. > > •Provides a secure in-house authority for certificate authentication and > offers straightforward user enrollment by means of a browser web page login. > > > > With regards > Kings > > > On Tue, Sep 6, 2011 at 1:11 PM, Kingsley Charles < > [email protected]> wrote: > >> Hi Piotr >> >> I just checked a downloaded certificate's usage from the ASA CA Server and >> it was signature type. Normally, the self signed certificates from >> webservers will have usage type of encryption and the public key will be >> used for encrypting the master key sent by the client to the server. The >> client side doesn't need an encryption usage certificate and only requires a >> certificate with signature usage. >> >> With EAP, client also would only require certificate usage type of >> signature and hence, I think ASA CA server would be suffice. >> >> Just sharing my thought. Practically, I have not tried with EAP :-) >> >> >> I have one more query >> >> The downloaded certificate from the ASA CA server has public key and >> private key. Now, with ASA CA server we don't enroll by sending PKCS#10 >> which has the public key. >> >> Said with that, whose public and private key are present in the downloaded >> certificate. Does the ASA CA server create and add keys for each user? >> >> With regards >> Kings >> >> >> On Tue, Sep 6, 2011 at 12:58 PM, Piotr Matusiak <[email protected]> wrote: >> >>> Right, this is because ASA CA can only issue a certificate for SSL >>> purposes. You cannot use them in EAP I believe. >>> >>> >>> Regards, >>> Piotr >>> >>> >>> 2011/9/6 Kingsley Charles <[email protected]> >>> >>>> Piotr, >>>> >>>> Does it mean that the ASA CA server has been implemented as a >>>> complementary for it's own webvpn feature? ASA CA server can be also used >>>> to >>>> generate certificates for any users to authenticate with any other >>>> applications other than ASA WebVPN, isn't it? >>>> >>>> We need some web service for CA Service. In IOS, we use http server web >>>> service not webvpn. >>>> >>>> But in ASA, we don't use http service rather webvpn web service. >>>> >>>> Just wondering, why Cisco didn't use http server web service. If I need >>>> a CA Server alone for issuing identity certificates, why would I need to >>>> run >>>> WebVPN? >>>> >>>> For example, I need a certificate for EAP TLS or EAP FAST >>>> authentication, I just need a CA Server not WebVPN. >>>> >>>> With regards >>>> Kings >>>> >>>> >>>> On Tue, Sep 6, 2011 at 12:32 PM, Piotr Matusiak <[email protected]> wrote: >>>> >>>>> What's the ASA CA purpose? To give out certificate for SSL (clientless >>>>> and full client), right? In both cases you need webvpn to be enabled. >>>>> >>>>> >>>>> Regards, >>>>> Piotr >>>>> >>>>> >>>>> 2011/9/6 Kingsley Charles <[email protected]> >>>>> >>>>>> Hi Piotr >>>>>> >>>>>> Great, that made it work. >>>>>> >>>>>> But why do we need webvpn to be enabled? Is CA server embedded with >>>>>> WebVPN service? >>>>>> >>>>>> With regards >>>>>> Kings >>>>>> >>>>>> >>>>>> On Tue, Sep 6, 2011 at 11:33 AM, Piotr Matusiak <[email protected]>wrote: >>>>>> >>>>>>> Hi Kings, >>>>>>> >>>>>>> You need WebVPN to be enabled for that. >>>>>>> >>>>>>> Regards, >>>>>>> Piotr >>>>>>> >>>>>>> >>>>>>> >>>>>>> 2011/9/6 Kingsley Charles <[email protected]> >>>>>>> >>>>>>>> Hi Piotr >>>>>>>> >>>>>>>> I don't have webvpn configured? I get the same log message even when >>>>>>>> I use IP address. Do we need http server enabled? I tried enabling http >>>>>>>> server too and that didn't work for me. >>>>>>>> >>>>>>>> >>>>>>>> With regards >>>>>>>> Kings >>>>>>>> >>>>>>>> >>>>>>>> On Mon, Sep 5, 2011 at 8:26 PM, Piotr Matusiak <[email protected]>wrote: >>>>>>>> >>>>>>>>> Hi Kings, >>>>>>>>> >>>>>>>>> Did you enable webvpn on the outside? >>>>>>>>> You can connect using IP address as well. >>>>>>>>> >>>>>>>>> Regards, >>>>>>>>> Piotr >>>>>>>>> >>>>>>>>> 2011/9/5 Kingsley Charles <[email protected]> >>>>>>>>> >>>>>>>>>> Hi all >>>>>>>>>> >>>>>>>>>> I have configured the ASA for CA server and when I try to access >>>>>>>>>> the enrollment URL, I get the following logs: From the log reference >>>>>>>>>> for >>>>>>>>>> 710005, I think, the CA server service is not running. >>>>>>>>>> >>>>>>>>>> I am trying to access enrollment url using the host name >>>>>>>>>> https://asa2/+CSCOCA+/enroll.html and have defined hostname to IP >>>>>>>>>> address mapping in the host file. I remember, we can only access >>>>>>>>>> using >>>>>>>>>> hostname not IP address. >>>>>>>>>> >>>>>>>>>> Any thoughts? >>>>>>>>>> >>>>>>>>>> *Config* >>>>>>>>>> >>>>>>>>>> crypto ca server >>>>>>>>>> subject-name-default cn=ca >>>>>>>>>> smtp from-address [email protected] >>>>>>>>>> >>>>>>>>>> *Logs* >>>>>>>>>> >>>>>>>>>> %ASA-7-710005: TCP request discarded from 10.20.30.40/1750 to >>>>>>>>>> outside:10.20.30.43/443 >>>>>>>>>> %ASA-3-710003: TCP access denied by ACL from 10.20.30.40/1750 to >>>>>>>>>> outside:10.20.30.43/443 >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Snippet from >>>>>>>>>> http://www.cisco.com/en/US/docs/security/asa/asa71/system/message/logmsgs.html#wp1285746 >>>>>>>>>> 710005 >>>>>>>>>> >>>>>>>>>> Error Message %PIX|ASA-7-710005: {TCP|UDP} request discarded from >>>>>>>>>> *source_address/source_port* to *interface_name:dest_address/service* >>>>>>>>>> >>>>>>>>>> Explanation This message appears when the Cisco ASA does not >>>>>>>>>> have a UDP server that services the UDP request. The message can also >>>>>>>>>> indicate a TCP packet that does not belong to any session on the >>>>>>>>>> Cisco ASA . >>>>>>>>>> In addition, this message appears (with the service *snmp*) when >>>>>>>>>> the Cisco ASA receives an SNMP request with an empty payload, even >>>>>>>>>> if it is >>>>>>>>>> from an authorized host. When the service is *snmp*, this message >>>>>>>>>> occurs a maximum of 1 time every 10 seconds so that the log receiver >>>>>>>>>> is not >>>>>>>>>> overwhelmed. >>>>>>>>>> >>>>>>>>>> Recommended Action In networks that heavily utilize >>>>>>>>>> broadcasting services such as DHCP, RIP or NetBios, the frequency of >>>>>>>>>> this >>>>>>>>>> message can be high. If this message appears in excessive number, it >>>>>>>>>> may >>>>>>>>>> indicate an attack. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> With regards >>>>>>>>>> Kings >>>>>>>>>> >>>>>>>>>> _______________________________________________ >>>>>>>>>> For more information regarding industry leading CCIE Lab training, >>>>>>>>>> please visit www.ipexpert.com >>>>>>>>>> >>>>>>>>>> Are you a CCNP or CCIE and looking for a job? Check out >>>>>>>>>> www.PlatinumPlacement.com >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
