Cisco IOS Certificate Authority


A Cisco IOS Router can be configured as a Certificate Authority (CA), distributing and managing (revoking) digital certificates. IOS routers enrol with the PKI Server and issued a certificate for use during the authentication phase when establishing a VPN tunnel. When authenticating peers exchange certificates and validate the identity of the peer and if successful establish a secure IKE Security Association, through which an IPSec SA can be established.

The purpose of this post is to describe the steps to configure a basic PKI/CA Server on a Cisco IOS router.

Continue reading “Cisco IOS Certificate Authority”
Advertisements

OpenSSL CA for VPN authentication


The purpose of this post is to describe the steps to setup and configure an OpenSSL Certificate Authority (CA) on an Ubuntu server. The CA will be used for VPN authentication for Windows Client authenticating against a Cisco Router. It is assumed that the Ubuntu server is already installed and configured. Important to note, time accuracy is important when using certificates, so ensure the Ubuntu servers’ time is correct.

The following software/hardware was utilised:-

Initial Cisco ISE Configuration


This post will describe the basic steps in order to install Cisco ISE 2.4 from ISO image, build a cluster and integrate with Active Directory.

  • Initial ISE Configuration
    • Installing ISE 2.4 from ISO image file
    • Initial configuration from CLI
  • Certificates
    • Admin and EAP Authentication Certificates
  • Deployment Roles
    • Minimum 1 x PAN (Policy Administration Node), 1 MnT (Management) and 1 x PSN (Policy Service Node)
    • Valid DNS entry for each ISE nodes
    • Valid certificates (Admin for establishing a secure connection for build the cluster)
  • External Identity Source Integration
    • Integration with Active Directory
  • Network Access Devices
  • Policy Sets

Continue reading “Initial Cisco ISE Configuration”

FTD VPN Certificate authentication


Using certificates to authenticate VPN peers is the most scalable authentication method. As of FTD 6.2.2 certificate enrolment is either via SCEP or manually using PKCS12. When using SCEP the FTD must have direct communication with the SCEP server in order to request the certificate, this may not be possible if the FTD is already deployed onsite. This leaves a PKCS12 file to import the signed certificate; this is a manual process, access to the console via SSH is all that is required.

This post will describe how to create a Certificate Template on a Windows CA, how to generate a certificate private key, csr and PKCS12 file and how to configure the VPN on the FMC.

Continue reading “FTD VPN Certificate authentication”

ASA AnyConnect IKEv2/IPSec VPN


See the previous blog post which documents the steps to setup AnyConnect SSL-VPN and ISE integration. This blog post expands on the AnyConnect SSL-VPN configuration, adding support for IKEv2/IPSec and using double authentication (Username/Password and Certificate).

ASA Configuration

Create a Crypto Keypair

crypto key generate rsa label VPN_KEY modulus 2048

Create a CA Trustpoint

crypto ca trustpoint LAB_PKI
fqdn asa-1.lab.net
subject-name CN=asa-1.lab.net,OU=LAB,ST=London,C=GB
keypair VPN_KEY
enrollment terminal
crl nocheck
Continue reading “ASA AnyConnect IKEv2/IPSec VPN”

FlexVPN with Certificate authentication


The intention of this blog post is to describe the steps to configure certificate authentication for FlexVPN on a Cisco IOS router. This post will not describe all the steps to enrol for a certificate or all the steps to configure FlexVPN, refer to the previous blog posts list below.

The configuration used is based on the FlexVPN sVTI blog post below and has successfully enrolled for certificates on all routers. VPN connectivity has been established using PSK, the configuration below will convert from PSK to certificate authentication.

Continue reading “FlexVPN with Certificate authentication”

Cisco IOS Certificate Enrollment via SCEP or Manual enrollment


The intention of this blog post is to describe how to configure a Cisco IOS router to request a certificate from a Microsoft SCEP (NDES) server to use for VPN authentication. A Windows Server must be configured as a Certificate Authority and with “Network Device Enrollment Service”. In the lab a Windows 2008 R2 server is configured as a Domain Controller, CA and NDES server – in production these roles would ideally located on separate servers.

Continue reading “Cisco IOS Certificate Enrollment via SCEP or Manual enrollment”