Kings, The ASA generates keys on behalf of the user and issue a certificate which is transferred during enrollment process to the client with PKCS12 (keys+cert) format. That's why there are two keys.
Regards, Piotr 2011/9/6 Kingsley Charles <[email protected]> > I did some investigation and based upon the debugs and documentation, the > following is how the authentication happens for SSLVPN with clients. > > 1)The user is added to the ASA CA Server user db and an OTP is generated. > 2)The user https://IP > address/+CSCOCA+/enroll.html<https://asa2/+CSCOCA+/enroll.html>and enters the > username/OTP. > 3)The user downloads the certificate. > 4)The user now logins into the SSLVPN portal and sends the certificate for > authentication. > 5)The ASA uses the Local CA server trustpoint to validate the signature. > The downloaded/sent certificate signature is signed by the CA Server's > private key. When the ASA gets the certificate from the user for sslvpn > authenticate, it generates the hash of the certificate. The signature from > the certificate is decrypted using the CA Server public key and now both > hash are compared. If they are same, then authentication passes. > > If I am missing something, please let me know. > > > Now, one question is still not answered for me. > > Why does the ASA CA server put a public and private key in the user's > certificate? What is the purpose of those keys? > > > With regards > Kings > > > On Tue, Sep 6, 2011 at 1:27 PM, Kingsley Charles < > [email protected]> wrote: > >> HI Piotr >> >> As you said, the ASA CA Server is meant only for it's sslvpn user >> authentication >> >> Snippet from >> http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cert_cfg.html#wp1067484 >> The Local CA >> >> The Local Certificate Authority (Local CA) performs the following tasks: >> >> •Integrates basic certificate authority functionality on the security >> appliance. >> >> •Deploys certificates. >> >> •Provides secure revocation checking of issued certificates. >> >> •Provides a certificate authority on the adaptive security appliance for >> use with SSL VPN connections, both browser- and client-based. >> >> •Provides trusted digital certificates to users, without the need to rely >> on external certificate authorization. >> >> •Provides a secure in-house authority for certificate authentication and >> offers straightforward user enrollment by means of a browser web page login. >> >> >> >> With regards >> Kings >> >> >> On Tue, Sep 6, 2011 at 1:11 PM, Kingsley Charles < >> [email protected]> wrote: >> >>> Hi Piotr >>> >>> I just checked a downloaded certificate's usage from the ASA CA Server >>> and it was signature type. Normally, the self signed certificates from >>> webservers will have usage type of encryption and the public key will be >>> used for encrypting the master key sent by the client to the server. The >>> client side doesn't need an encryption usage certificate and only requires a >>> certificate with signature usage. >>> >>> With EAP, client also would only require certificate usage type of >>> signature and hence, I think ASA CA server would be suffice. >>> >>> Just sharing my thought. Practically, I have not tried with EAP :-) >>> >>> >>> I have one more query >>> >>> The downloaded certificate from the ASA CA server has public key and >>> private key. Now, with ASA CA server we don't enroll by sending PKCS#10 >>> which has the public key. >>> >>> Said with that, whose public and private key are present in the >>> downloaded certificate. Does the ASA CA server create and add keys for each >>> user? >>> >>> With regards >>> Kings >>> >>> >>> On Tue, Sep 6, 2011 at 12:58 PM, Piotr Matusiak <[email protected]> wrote: >>> >>>> Right, this is because ASA CA can only issue a certificate for SSL >>>> purposes. You cannot use them in EAP I believe. >>>> >>>> >>>> Regards, >>>> Piotr >>>> >>>> >>>> 2011/9/6 Kingsley Charles <[email protected]> >>>> >>>>> Piotr, >>>>> >>>>> Does it mean that the ASA CA server has been implemented as a >>>>> complementary for it's own webvpn feature? ASA CA server can be also used >>>>> to >>>>> generate certificates for any users to authenticate with any other >>>>> applications other than ASA WebVPN, isn't it? >>>>> >>>>> We need some web service for CA Service. In IOS, we use http server web >>>>> service not webvpn. >>>>> >>>>> But in ASA, we don't use http service rather webvpn web service. >>>>> >>>>> Just wondering, why Cisco didn't use http server web service. If I need >>>>> a CA Server alone for issuing identity certificates, why would I need to >>>>> run >>>>> WebVPN? >>>>> >>>>> For example, I need a certificate for EAP TLS or EAP FAST >>>>> authentication, I just need a CA Server not WebVPN. >>>>> >>>>> With regards >>>>> Kings >>>>> >>>>> >>>>> On Tue, Sep 6, 2011 at 12:32 PM, Piotr Matusiak <[email protected]>wrote: >>>>> >>>>>> What's the ASA CA purpose? To give out certificate for SSL (clientless >>>>>> and full client), right? In both cases you need webvpn to be enabled. >>>>>> >>>>>> >>>>>> Regards, >>>>>> Piotr >>>>>> >>>>>> >>>>>> 2011/9/6 Kingsley Charles <[email protected]> >>>>>> >>>>>>> Hi Piotr >>>>>>> >>>>>>> Great, that made it work. >>>>>>> >>>>>>> But why do we need webvpn to be enabled? Is CA server embedded with >>>>>>> WebVPN service? >>>>>>> >>>>>>> With regards >>>>>>> Kings >>>>>>> >>>>>>> >>>>>>> On Tue, Sep 6, 2011 at 11:33 AM, Piotr Matusiak <[email protected]>wrote: >>>>>>> >>>>>>>> Hi Kings, >>>>>>>> >>>>>>>> You need WebVPN to be enabled for that. >>>>>>>> >>>>>>>> Regards, >>>>>>>> Piotr >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> 2011/9/6 Kingsley Charles <[email protected]> >>>>>>>> >>>>>>>>> Hi Piotr >>>>>>>>> >>>>>>>>> I don't have webvpn configured? I get the same log message even >>>>>>>>> when I use IP address. Do we need http server enabled? I tried >>>>>>>>> enabling http >>>>>>>>> server too and that didn't work for me. >>>>>>>>> >>>>>>>>> >>>>>>>>> With regards >>>>>>>>> Kings >>>>>>>>> >>>>>>>>> >>>>>>>>> On Mon, Sep 5, 2011 at 8:26 PM, Piotr Matusiak <[email protected]>wrote: >>>>>>>>> >>>>>>>>>> Hi Kings, >>>>>>>>>> >>>>>>>>>> Did you enable webvpn on the outside? >>>>>>>>>> You can connect using IP address as well. >>>>>>>>>> >>>>>>>>>> Regards, >>>>>>>>>> Piotr >>>>>>>>>> >>>>>>>>>> 2011/9/5 Kingsley Charles <[email protected]> >>>>>>>>>> >>>>>>>>>>> Hi all >>>>>>>>>>> >>>>>>>>>>> I have configured the ASA for CA server and when I try to access >>>>>>>>>>> the enrollment URL, I get the following logs: From the log >>>>>>>>>>> reference for >>>>>>>>>>> 710005, I think, the CA server service is not running. >>>>>>>>>>> >>>>>>>>>>> I am trying to access enrollment url using the host name >>>>>>>>>>> https://asa2/+CSCOCA+/enroll.html and have defined hostname to >>>>>>>>>>> IP address mapping in the host file. I remember, we can only access >>>>>>>>>>> using >>>>>>>>>>> hostname not IP address. >>>>>>>>>>> >>>>>>>>>>> Any thoughts? >>>>>>>>>>> >>>>>>>>>>> *Config* >>>>>>>>>>> >>>>>>>>>>> crypto ca server >>>>>>>>>>> subject-name-default cn=ca >>>>>>>>>>> smtp from-address [email protected] >>>>>>>>>>> >>>>>>>>>>> *Logs* >>>>>>>>>>> >>>>>>>>>>> %ASA-7-710005: TCP request discarded from 10.20.30.40/1750 to >>>>>>>>>>> outside:10.20.30.43/443 >>>>>>>>>>> %ASA-3-710003: TCP access denied by ACL from 10.20.30.40/1750 to >>>>>>>>>>> outside:10.20.30.43/443 >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Snippet from >>>>>>>>>>> http://www.cisco.com/en/US/docs/security/asa/asa71/system/message/logmsgs.html#wp1285746 >>>>>>>>>>> 710005 >>>>>>>>>>> >>>>>>>>>>> Error Message %PIX|ASA-7-710005: {TCP|UDP} request discarded >>>>>>>>>>> from *source_address/source_port* to >>>>>>>>>>> *interface_name:dest_address/service* >>>>>>>>>>> >>>>>>>>>>> Explanation This message appears when the Cisco ASA does not >>>>>>>>>>> have a UDP server that services the UDP request. The message can >>>>>>>>>>> also >>>>>>>>>>> indicate a TCP packet that does not belong to any session on the >>>>>>>>>>> Cisco ASA . >>>>>>>>>>> In addition, this message appears (with the service *snmp*) when >>>>>>>>>>> the Cisco ASA receives an SNMP request with an empty payload, even >>>>>>>>>>> if it is >>>>>>>>>>> from an authorized host. When the service is *snmp*, this >>>>>>>>>>> message occurs a maximum of 1 time every 10 seconds so that the log >>>>>>>>>>> receiver >>>>>>>>>>> is not overwhelmed. >>>>>>>>>>> >>>>>>>>>>> Recommended Action In networks that heavily utilize >>>>>>>>>>> broadcasting services such as DHCP, RIP or NetBios, the frequency >>>>>>>>>>> of this >>>>>>>>>>> message can be high. If this message appears in excessive number, >>>>>>>>>>> it may >>>>>>>>>>> indicate an attack. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> With regards >>>>>>>>>>> Kings >>>>>>>>>>> >>>>>>>>>>> _______________________________________________ >>>>>>>>>>> For more information regarding industry leading CCIE Lab >>>>>>>>>>> training, please visit www.ipexpert.com >>>>>>>>>>> >>>>>>>>>>> Are you a CCNP or CCIE and looking for a job? Check out >>>>>>>>>>> www.PlatinumPlacement.com >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
