A Cisco IOS Router can be configured as a Certificate Authority (CA), distributing and managing (revoking) digital certificates. IOS routers enrol with the PKI Server and issued a certificate for use during the authentication phase when establishing a VPN tunnel. When authenticating peers exchange certificates and validate the identity of the peer and if successful establish a secure IKE Security Association, through which an IPSec SA can be established.
The purpose of this post is to describe the steps to configure a basic PKI/CA Server on a Cisco IOS router.
Continue reading “Cisco IOS Certificate Authority”
The purpose of this post is to describe the steps to setup and configure an OpenSSL Certificate Authority (CA) on an Ubuntu server. The CA will be used for VPN authentication for Windows Client authenticating against a Cisco Router. It is assumed that the Ubuntu server is already installed and configured. Important to note, time accuracy is important when using certificates, so ensure the Ubuntu servers’ time is correct.
The following software/hardware was utilised:-
This post will describe the basic steps in order to install Cisco ISE 2.4 from ISO image, build a cluster and integrate with Active Directory.
Continue reading “Initial Cisco ISE Configuration”
Using certificates to authenticate VPN peers is the most scalable authentication method. As of FTD 6.2.2 certificate enrolment is either via SCEP or manually using PKCS12. When using SCEP the FTD must have direct communication with the SCEP server in order to request the certificate, this may not be possible if the FTD is already deployed onsite. This leaves a PKCS12 file to import the signed certificate; this is a manual process, access to the console via SSH is all that is required.
This post will describe how to create a Certificate Template on a Windows CA, how to generate a certificate private key, csr and PKCS12 file and how to configure the VPN on the FMC.
Continue reading “FTD VPN Certificate authentication”
See the previous blog post which documents the steps to setup AnyConnect SSL-VPN and ISE integration. This blog post expands on the AnyConnect SSL-VPN configuration, adding support for IKEv2/IPSec and using double authentication (Username/Password and Certificate).
Create a Crypto Keypair
crypto key generate rsa label VPN_KEY modulus 2048
Create a CA Trustpoint
crypto ca trustpoint LAB_PKI
Continue reading “ASA AnyConnect IKEv2/IPSec VPN”
The intention of this blog post is to describe the steps to configure certificate authentication for FlexVPN on a Cisco IOS router. This post will not describe all the steps to enrol for a certificate or all the steps to configure FlexVPN, refer to the previous blog posts list below.
The configuration used is based on the FlexVPN sVTI blog post below and has successfully enrolled for certificates on all routers. VPN connectivity has been established using PSK, the configuration below will convert from PSK to certificate authentication.
Continue reading “FlexVPN with Certificate authentication”
The intention of this blog post is to describe how to configure a Cisco IOS router to request a certificate from a Microsoft SCEP (NDES) server to use for VPN authentication. A Windows Server must be configured as a Certificate Authority and with “Network Device Enrollment Service”. In the lab a Windows 2008 R2 server is configured as a Domain Controller, CA and NDES server – in production these roles would ideally located on separate servers.
Continue reading “Cisco IOS Certificate Enrollment via SCEP or Manual enrollment”