cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
364
Views
0
Helpful
2
Replies
a.giorgi
Beginner

Clientless Authentication Using an External CA

Hi there:

I'm trying to configure a clientless authentication using certificates issued by my own CA but I can't

I get a certificate validation failure
I was searching for a configuration guide but I can't found it

I enrolled the ASA with the CA and assigned the certificate to outside
I enrolled the user to CA

I configured the connection profile to certificate authentication method
I configured the certificate map connection profile to OU field in the certificate
I begin to suspect this is not a valid design unless the ASA is the CA
Can somebody confirm if I can authenticate my users using SSL VPN with cerificates from an external CA?

Someone know a configuration guide to do it?

Thank you in advance

Al

2 REPLIES 2
Karsten Iwen
VIP Mentor

You also can use an external CA. Thats also the common way as the local CA can't be used in Failover-Scenarios.

Start with the configuration-guides on certificates:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/access_certs.html

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/vpn_clientless_ssl.html

--

Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Thank you Iwen

Finally I found the problem

You need to enroll the user certificate across the ASA (ASA as proxy)

If you try to make the enrollment directly to CA the certificates are different

the DC at left is the result of direct enrollment and doesn't work

the DC at right is the right one

Thank you very much

Al

Content for Community-Ad