Hello everyone, A couple of friends out there showed interest in details of the scenario in subject, and here are the detailed steps to do the job. I hope no one gets bored, : To summarise the scenario, A VPN client connects to PIX using RSA signatures and the certificates are issued using MS CA. User authentication is via MS IAS Radius server. User names are defined in MS Domain.
1- Install MS CA. I have installed Enterprise root CA. 2- Install SCEP support for MS CA. This is found in Windows 2000 Toolit. file to use is cepsetup.exe. It is used for PIX to enroll itself to MS CA. 3- Configure IAS for radius authentication. You need to configure a client with relevant password, which should match the password in PIX. (IAS is available in Windows2000 ) Make sure that Radius supports PAP authentication with PIX. Also configure any remote user as "dial-in allowed" in MS domain if necessary. Now, MS side is ready for certificating and authenticating VPN users... 4- Configure PIX for IPSec VPN configuration. Following are the relevant lines from my working configuration, but you can check cisco site for many more examples. I am assuming you know how to configure PIX for NAT and other basic stuff. --------------------------------------------------------------------- crypto ipsec transform-set test_transform esp-des esp-sha-hmac crypto dynamic-map test_dyn_set 4 set transform-set test_transform crypto map test_map 20 ipsec-isakmp dynamic test_dyn_set crypto map test_map client authentication test_radius crypto map test_map interface outside isakmp enable outside isakmp policy 8 authentication rsa-sig isakmp policy 8 encryption des isakmp policy 8 hash md5 isakmp policy 8 group 2 isakmp policy 8 lifetime 86400 vpngroup test_vpn address-pool test_pool vpngroup test_vpn dns-server 172.16.0.2 vpngroup test_vpn wins-server 172.16.0.2 vpngroup test_vpn default-domain example.com vpngroup test_vpn idle-time 1800 ca identity test_ca 172.16.0.2://certsrv/mscep/mscep.dll ca configure test_ca ra 1 20 crloptional ca authenticate test_ca ca enroll test_ca CHALLENGE ------------------------------------------------------------------------ ----------- In the enrollment phase, there is one important point : before entering the LAST line above to PIX, you should connect to http://your_local_ca_server://certsrv/mscep/mscep.dll with your browser. At that page, you will see your CHALLENGE one time password which you should use in command. 5- Install VPN client. This is straight forward. 6- You should copy certificates from CA to VPN client. There are two ways : Either you prepare a file at VPN client and request a certificate, or you directly prepare certificate at the http://your_local_ca_server/certsrv and copy that cert to VPN client. At the certificate preparation phase, you should be carefull with OU (or department) entitiy in certificate request. This entity should match your vpngroup definition in your PIX configuration. ( test_vpn in this case) Also if you are directly issuing cert from web site (rather than requesting via file) you should use IPSec Offline template in MS CA. ou (department) definition is found in that template. (Leaving as an exercise to find how to add IPSec Offline template :-) You should add both CA certificate to VPN client and a personal certificate. Use certificate manager which comes with VPN client installation. 7- Lastly, you should create a connection using newly installed certificates and connect tou your PIX. I hope this helps to someone who is preparing for certs. As you see, the procedure is straight forward. My mistake was to match organization name to vpngroup definition, instead of OU (department) name when I fail to connect. (It took two days blind search of the mistake of my configuration :-)) Best regards, Ufuk Yasibeyli. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=45434&t=45434 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
