Further to this query and to provide a little background. I am testing certificate based authentication with ASA clientless/client SSL VPN with an IOS CA Server being used for PKI.
I have defined the the IOS CA as a trustpoint on the ASA and issued the ASA with an identity certificate. On a Windows client I have installed the IOS CA certificate and then used the Cisco IPSec VPN client to create a CSR which I submitted via the terminal/CLI on the IOS CA to be issued with an identity certificate for the Windows box. After trying many things I simply could not get the client to authenticate to the ASA using the certificate from the IOS CA. On the client I kept getting the "Certificate Validation Failure" error and in the debugs on the ASA the most meaningful entry was this: Tunnel Group: tg1, Client Cert Auth Failed! Embedded CA Server not enabled. Logging out the user. I read on the Cisco support forums that someone else had an issue somewhat similar and was told by TAC the IPSec VPN client made a CSR suitable for a certificate for IPSec but not SSL VPN. After reading this, and knowing that I had used the IPSec Client to create by CSR I added a new trustpoint for a my Microsoft CA on the ASA and authenticated the MS CA on the ASA. Using the web-interface for the MS CA, I then enrolled with the MS CA on the Windows client and received a certificate from it. I was then able to instantly authenticate with the ASA now I was using the MS CA as a trustpoint on the ASA and had been issued with a certificate from that same MS CA on the Windows client. So, after that rather long winded explanation, I come back to my initial query. Considering I have had the issues mentioned above which was resolved by enrolling with another (MS) CA, is there another method I can use, preferably like the web interface for the MS CA, or like the 'user-db' function on the ASA, to enrol a client machine with an IOS CA instead of doing what I did and use the IPSec VPN client to make a CSR and then copy-paste it into the IOS CA? Thanks Ben
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
