Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
656
Views
0
Helpful
1
Replies

EZVPN and Certificates

jgadbois
Level 1
Level 1

‎07-31-2011 09:21 AM

I have a ASA5510 that I want to use as a EZVPN server.  I also want to use it to generate certificates.  I also have a ASA5505 and want to use it as a EZVPN hardware client.  And I want to use certificates with it.  This would seem like a common configuration but, alas, I cannot find any hints on how to do this.  I have them setup using pre-shared keys and they are working fine.

Any help out there?

Labels:
0 Helpful
1 Reply 1

Gustavo Medina
Cisco Employee
Cisco Employee

‎08-02-2011 05:44 PM

Hello,

Are you trying to use the 5510 as a LOCAL CA for EzVPN Clients? If so that is not a supported configuration, however it may work. I would suggest to use an internal Microsoft CA for example.

If you are familiar with certificates on the ASA then the setup will be very easy for you, on the 5505 just don't specify the 5510 tunnel-group you are trying to connect to so that the 5505 will try to use RSA authentication.

The OU field of the ID certificate used by the 5505 should have the name of the tunnel-group of the 5510 thus when the connection attempt gets to the 5510 the tunnel-group lookup will suceed; otherwise you will have to use certificate-mapping on the 5510 and match another field of the cert presented by the client with the tunnel-group.

Regards,

0 Helpful
Customers Also Viewed These Support Documents