10-10-2011 11:34 AM
How can I change from a PSK based RA confuguration to a locally assighed certificate base configuration?
Thank you in advance for you assistance.
10-10-2011 02:33 PM
Hi,
welcome to the world of PKI (public key infrastrcuture)
when moving to the world of certificates , generally you need to have the following :
1- a Certificate authority that will issue certificates to the clients , and this can be a :
any valid public certificate authority
your OWN microsft CA server
the beloved IOS CA server (your own CISCO router).
2- a client enrolloing for the certificate :
this can be done on CISCO IOS router either using :
SCEP :simple certificate enrollement protocol (uses HTTP port 80)
or
manual enrollment (copy and paste)
3- a protocol to carry the certificates and do the authentication which is IKE
so changes will be :
- authenticate the CA certificate on all of your clients
-enroll each cleint with its own certificate
-change the IKE policy to use the certificate authentication , it is rsa-sig under the isakmp policy definition .
for a basic knowledge about certificates ;
http://en.wikipedia.org/wiki/Public_key_certificate
manual certificate enrollment (TFTP and cut and paste):
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftmancrt.html
configure and enroll a cisco router to another cisco router :
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080210cdc.shtml
Digital certifiactes PKI for VPN :
http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/DCertPKI.html
HTH
Mohammad.
10-11-2011 08:56 AM
Does each client need their own Certificate?
10-11-2011 09:13 AM
yes you need.
10-11-2011 09:17 AM
I have a MS CA server which is currently issueing to every users.
I want to use the PSK, Certificate and the users still have to enter the username and password.
If not, Can I just use the Certificate and the username and password.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide