Hi Piotr I agree with that. But I would like to know, what's the purpose of those two keys with respect to SSLVPN.
With regards Kings On Tue, Sep 6, 2011 at 5:16 PM, Piotr Matusiak <[email protected]> wrote: > Kings, > > The ASA generates keys on behalf of the user and issue a certificate which > is transferred during enrollment process to the client with PKCS12 > (keys+cert) format. That's why there are two keys. > > > Regards, > Piotr > > > > 2011/9/6 Kingsley Charles <[email protected]> > >> I did some investigation and based upon the debugs and documentation, the >> following is how the authentication happens for SSLVPN with clients. >> >> 1)The user is added to the ASA CA Server user db and an OTP is generated. >> 2)The user https://IP >> address/+CSCOCA+/enroll.html<https://asa2/+CSCOCA+/enroll.html>and enters >> the username/OTP. >> 3)The user downloads the certificate. >> 4)The user now logins into the SSLVPN portal and sends the certificate for >> authentication. >> 5)The ASA uses the Local CA server trustpoint to validate the signature. >> The downloaded/sent certificate signature is signed by the CA Server's >> private key. When the ASA gets the certificate from the user for sslvpn >> authenticate, it generates the hash of the certificate. The signature from >> the certificate is decrypted using the CA Server public key and now both >> hash are compared. If they are same, then authentication passes. >> >> If I am missing something, please let me know. >> >> >> Now, one question is still not answered for me. >> >> Why does the ASA CA server put a public and private key in the user's >> certificate? What is the purpose of those keys? >> >> >> With regards >> Kings >> >> >> On Tue, Sep 6, 2011 at 1:27 PM, Kingsley Charles < >> [email protected]> wrote: >> >>> HI Piotr >>> >>> As you said, the ASA CA Server is meant only for it's sslvpn user >>> authentication >>> >>> Snippet from >>> http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cert_cfg.html#wp1067484 >>> The Local CA >>> >>> The Local Certificate Authority (Local CA) performs the following tasks: >>> >>> •Integrates basic certificate authority functionality on the security >>> appliance. >>> >>> •Deploys certificates. >>> >>> •Provides secure revocation checking of issued certificates. >>> >>> •Provides a certificate authority on the adaptive security appliance for >>> use with SSL VPN connections, both browser- and client-based. >>> >>> •Provides trusted digital certificates to users, without the need to rely >>> on external certificate authorization. >>> >>> •Provides a secure in-house authority for certificate authentication and >>> offers straightforward user enrollment by means of a browser web page login. >>> >>> >>> >>> With regards >>> Kings >>> >>> >>> On Tue, Sep 6, 2011 at 1:11 PM, Kingsley Charles < >>> [email protected]> wrote: >>> >>>> Hi Piotr >>>> >>>> I just checked a downloaded certificate's usage from the ASA CA Server >>>> and it was signature type. Normally, the self signed certificates from >>>> webservers will have usage type of encryption and the public key will be >>>> used for encrypting the master key sent by the client to the server. The >>>> client side doesn't need an encryption usage certificate and only requires >>>> a >>>> certificate with signature usage. >>>> >>>> With EAP, client also would only require certificate usage type of >>>> signature and hence, I think ASA CA server would be suffice. >>>> >>>> Just sharing my thought. Practically, I have not tried with EAP :-) >>>> >>>> >>>> I have one more query >>>> >>>> The downloaded certificate from the ASA CA server has public key and >>>> private key. Now, with ASA CA server we don't enroll by sending PKCS#10 >>>> which has the public key. >>>> >>>> Said with that, whose public and private key are present in the >>>> downloaded certificate. Does the ASA CA server create and add keys for each >>>> user? >>>> >>>> With regards >>>> Kings >>>> >>>> >>>> On Tue, Sep 6, 2011 at 12:58 PM, Piotr Matusiak <[email protected]> wrote: >>>> >>>>> Right, this is because ASA CA can only issue a certificate for SSL >>>>> purposes. You cannot use them in EAP I believe. >>>>> >>>>> >>>>> Regards, >>>>> Piotr >>>>> >>>>> >>>>> 2011/9/6 Kingsley Charles <[email protected]> >>>>> >>>>>> Piotr, >>>>>> >>>>>> Does it mean that the ASA CA server has been implemented as a >>>>>> complementary for it's own webvpn feature? ASA CA server can be also >>>>>> used to >>>>>> generate certificates for any users to authenticate with any other >>>>>> applications other than ASA WebVPN, isn't it? >>>>>> >>>>>> We need some web service for CA Service. In IOS, we use http server >>>>>> web service not webvpn. >>>>>> >>>>>> But in ASA, we don't use http service rather webvpn web service. >>>>>> >>>>>> Just wondering, why Cisco didn't use http server web service. If I >>>>>> need a CA Server alone for issuing identity certificates, why would I >>>>>> need >>>>>> to run WebVPN? >>>>>> >>>>>> For example, I need a certificate for EAP TLS or EAP FAST >>>>>> authentication, I just need a CA Server not WebVPN. >>>>>> >>>>>> With regards >>>>>> Kings >>>>>> >>>>>> >>>>>> On Tue, Sep 6, 2011 at 12:32 PM, Piotr Matusiak <[email protected]>wrote: >>>>>> >>>>>>> What's the ASA CA purpose? To give out certificate for SSL >>>>>>> (clientless and full client), right? In both cases you need webvpn to be >>>>>>> enabled. >>>>>>> >>>>>>> >>>>>>> Regards, >>>>>>> Piotr >>>>>>> >>>>>>> >>>>>>> 2011/9/6 Kingsley Charles <[email protected]> >>>>>>> >>>>>>>> Hi Piotr >>>>>>>> >>>>>>>> Great, that made it work. >>>>>>>> >>>>>>>> But why do we need webvpn to be enabled? Is CA server embedded with >>>>>>>> WebVPN service? >>>>>>>> >>>>>>>> With regards >>>>>>>> Kings >>>>>>>> >>>>>>>> >>>>>>>> On Tue, Sep 6, 2011 at 11:33 AM, Piotr Matusiak <[email protected]>wrote: >>>>>>>> >>>>>>>>> Hi Kings, >>>>>>>>> >>>>>>>>> You need WebVPN to be enabled for that. >>>>>>>>> >>>>>>>>> Regards, >>>>>>>>> Piotr >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> 2011/9/6 Kingsley Charles <[email protected]> >>>>>>>>> >>>>>>>>>> Hi Piotr >>>>>>>>>> >>>>>>>>>> I don't have webvpn configured? I get the same log message even >>>>>>>>>> when I use IP address. Do we need http server enabled? I tried >>>>>>>>>> enabling http >>>>>>>>>> server too and that didn't work for me. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> With regards >>>>>>>>>> Kings >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On Mon, Sep 5, 2011 at 8:26 PM, Piotr Matusiak <[email protected]>wrote: >>>>>>>>>> >>>>>>>>>>> Hi Kings, >>>>>>>>>>> >>>>>>>>>>> Did you enable webvpn on the outside? >>>>>>>>>>> You can connect using IP address as well. >>>>>>>>>>> >>>>>>>>>>> Regards, >>>>>>>>>>> Piotr >>>>>>>>>>> >>>>>>>>>>> 2011/9/5 Kingsley Charles <[email protected]> >>>>>>>>>>> >>>>>>>>>>>> Hi all >>>>>>>>>>>> >>>>>>>>>>>> I have configured the ASA for CA server and when I try to access >>>>>>>>>>>> the enrollment URL, I get the following logs: From the log >>>>>>>>>>>> reference for >>>>>>>>>>>> 710005, I think, the CA server service is not running. >>>>>>>>>>>> >>>>>>>>>>>> I am trying to access enrollment url using the host name >>>>>>>>>>>> https://asa2/+CSCOCA+/enroll.html and have defined hostname to >>>>>>>>>>>> IP address mapping in the host file. I remember, we can only >>>>>>>>>>>> access using >>>>>>>>>>>> hostname not IP address. >>>>>>>>>>>> >>>>>>>>>>>> Any thoughts? >>>>>>>>>>>> >>>>>>>>>>>> *Config* >>>>>>>>>>>> >>>>>>>>>>>> crypto ca server >>>>>>>>>>>> subject-name-default cn=ca >>>>>>>>>>>> smtp from-address [email protected] >>>>>>>>>>>> >>>>>>>>>>>> *Logs* >>>>>>>>>>>> >>>>>>>>>>>> %ASA-7-710005: TCP request discarded from 10.20.30.40/1750 to >>>>>>>>>>>> outside:10.20.30.43/443 >>>>>>>>>>>> %ASA-3-710003: TCP access denied by ACL from 10.20.30.40/1750to >>>>>>>>>>>> outside: >>>>>>>>>>>> 10.20.30.43/443 >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Snippet from >>>>>>>>>>>> http://www.cisco.com/en/US/docs/security/asa/asa71/system/message/logmsgs.html#wp1285746 >>>>>>>>>>>> 710005 >>>>>>>>>>>> >>>>>>>>>>>> Error Message %PIX|ASA-7-710005: {TCP|UDP} request discarded >>>>>>>>>>>> from *source_address/source_port* to >>>>>>>>>>>> *interface_name:dest_address/service* >>>>>>>>>>>> >>>>>>>>>>>> Explanation This message appears when the Cisco ASA does not >>>>>>>>>>>> have a UDP server that services the UDP request. The message can >>>>>>>>>>>> also >>>>>>>>>>>> indicate a TCP packet that does not belong to any session on the >>>>>>>>>>>> Cisco ASA . >>>>>>>>>>>> In addition, this message appears (with the service *snmp*) >>>>>>>>>>>> when the Cisco ASA receives an SNMP request with an empty payload, >>>>>>>>>>>> even if >>>>>>>>>>>> it is from an authorized host. When the service is *snmp*, this >>>>>>>>>>>> message occurs a maximum of 1 time every 10 seconds so that the >>>>>>>>>>>> log receiver >>>>>>>>>>>> is not overwhelmed. >>>>>>>>>>>> >>>>>>>>>>>> Recommended Action In networks that heavily utilize >>>>>>>>>>>> broadcasting services such as DHCP, RIP or NetBios, the frequency >>>>>>>>>>>> of this >>>>>>>>>>>> message can be high. If this message appears in excessive number, >>>>>>>>>>>> it may >>>>>>>>>>>> indicate an attack. >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> With regards >>>>>>>>>>>> Kings >>>>>>>>>>>> >>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>> For more information regarding industry leading CCIE Lab >>>>>>>>>>>> training, please visit www.ipexpert.com >>>>>>>>>>>> >>>>>>>>>>>> Are you a CCNP or CCIE and looking for a job? Check out >>>>>>>>>>>> www.PlatinumPlacement.com >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
