11-15-2021 01:19 PM
Interesting error I'm receiving while configuring my ASA to use Azure AD MFA. In Cisco's documentation, I run the following:
crypto ca trustpoint AzureAD-AC-SAML revocation-check none no id-usage enrollment terminal no ca-check
However, after no ca-check, I get the following error:
S1-ASA(config-ca-trustpoint)# no ca-check ^ ERROR: % Invalid input detected at '^' marker.
I know this is a required step, but I can't for the life of me find anything online about it. When I type 'no ?' and view the list of supported options, ca-check isn't one of them. It's almost like my ASA doesn't have that option. Any ideas? Firmware possibly?
ASA Version 9.1(6)
Solved! Go to Solution.
11-15-2021 03:15 PM - edited 11-15-2021 03:21 PM
Well, figured it out. Looks like it's the firmware. Amazingly, we're running 9.1.6 from 2015.
Found that no ca-check was introduced in fimware 9.4.1, based off this website: Cisco ASA New Features by Release - Cisco
Since we're using a very old ASA5540, it would appear that 9.1.6 is the latest firmware. So I guess it's time to replace that thing, fun! Also explains why there's zero documentation online related to the error, I don't think Azure AD MFA was much of a thing back then.
11-15-2021 03:15 PM - edited 11-15-2021 03:21 PM
Well, figured it out. Looks like it's the firmware. Amazingly, we're running 9.1.6 from 2015.
Found that no ca-check was introduced in fimware 9.4.1, based off this website: Cisco ASA New Features by Release - Cisco
Since we're using a very old ASA5540, it would appear that 9.1.6 is the latest firmware. So I guess it's time to replace that thing, fun! Also explains why there's zero documentation online related to the error, I don't think Azure AD MFA was much of a thing back then.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide