Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
728
Views
3
Helpful
5
Replies

Configuring CRL FTD FDM

Go to solution
Jonathan Haldane
Level 1
Level 1

‎06-02-2023 06:50 AM

Using version v7.0.5 FDM (or any 7x) , is it possible to reference a certificate revocation List(CRL)?

For use with RA VPN (anyconnect / Secure Client). I know this is possible using FMC, however is this possible using FDM.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Aref Alsouqi
VIP
VIP

‎06-02-2023 08:05 AM

I don't believe that is supported:

https://bst.cisco.com/quickview/bug/CSCvs19613

Even if you try to use the Flexconfig that wouldn't work as I remember the crypto command is a blacklisted command.

View solution in original post

5 Replies 5

Go to solution
Aref Alsouqi
VIP
VIP

‎06-02-2023 08:05 AM

I don't believe that is supported:

https://bst.cisco.com/quickview/bug/CSCvs19613

Even if you try to use the Flexconfig that wouldn't work as I remember the crypto command is a blacklisted command.

Go to solution
MHM Cisco World
VIP
VIP

‎06-02-2023 08:25 AM

https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/215850-certificate-installation-and-renewal-on.html

This certificate for FTD via FDM.

Can you more elaborate about CRL?

Thanks 

MHM

0 Helpful

Go to solution
Jonathan Haldane
Level 1
Level 1

‎06-02-2023 08:46 AM

Using a 2100 series firepower with only GUI FDM for Remote Access VPN with anyconnect/secure client authenticated using Client Certificates only.

If we needed to revoke a client certificate (lost laptop etc). Visibility of the CRL would enable the Firepower to know that this client certificate had been revoked. If there is no mechanism for CRL that would remove client certificate only as an option. 

The next best option would be AAA (SAML, LDAP, RADIUS etc) & client certificate

 

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP
In response to Jonathan Haldane

‎06-02-2023 09:08 AM

If you should enable SAML on the FDM, please be aware that the FDM will error out when you try to push the changes if the SAML certificate has the "ca-check" enabled. Unlike the FMC, the FDM does not have any option to turn that feature off, and the Flexconfig won't allow you to do it due to the crypto command being blacklisted. So in that case you would need to use a third party tool such as OpenSSL or XCA to generate a new cert and its private key, disable the ca-check, import the cert and the private key into Azure, and finally import the cert into FDM.

Go to solution
Jonathan Haldane
Level 1
Level 1
In response to Aref Alsouqi

‎06-02-2023 09:17 AM

Thanks Aref, I have already come across that issue. XCA worked a treat.
 
Regards,
Jonathan
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card