Q. VPN remote access clients user and ASA certs are generated off of the intermediate CA server.?
Does the ASA need to have the Root CA cert installed on the ASA along with the Intermediate CA cert? Or will just the Intermediate CA cert suffice?
A. On the ASA you need only the Intermediate/Subordinate CA cert installed. O nhte lcient you need all 3 certs installed:Root CA, Subordinate CA, and Identity certificate.
Q. How does the ASA checks for CRLs with multiple CA certificates installed?
On the ASA we have CA cert1 and CA cert2, client are connecting using user1 certificate signed by CA cert1 and user2 using sertificate signed by CA cert2 how does the ASA know how to query the right CRL list ??
A. The CRL location, CRL DP, is actually pulled out of the client certificate. The client certificate would have a 'CRL Distribution Points' extension that would provide a URL to the CRL location.
If the client certificate doesn't include such an extension then you could also configure static URL's or a combination of both depending on which check boxes you enable for CRL Retrieval Policy. This way you can configure the particular static URL relevant to the given CA certificate that you are configuring.
I have ISE 2.2+ and mysql 8.0 I have tried to usehttps://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/210521-Configure-ISE-2-2-for-integration-with-M.html to configure MYSQL as external identity source.https://www.cisco.com...
I used ASA5515 and I found problem with Internet Connection lost.For example. I'm able to access the internet and sometime I found internet has lost.Please find the details below. I can ping ASA5515I can remote to ASA5515I can ping LAN (inside) ...