[c-nsp] ASA VPN with Local CA on the ASA
Scott Granados
scott at granados-llc.net
Wed Aug 17 16:10:17 EDT 2011
Depends, if yu are using failover (active, standby) it won't work.
Cisco suggests you use the Microsoft CA facilities for this but you can also
use your standard openssl gimmick under your *nix of choice.
-----Original Message-----
From: Jay Nakamura
Sent: Wednesday, August 17, 2011 12:54 PM
To: cisco-nsp
Subject: [c-nsp] ASA VPN with Local CA on the ASA
I have been reading the documentation and trying to understand how this
works.
My understanding is, I can use a certificate to add another layer of
authentication to VPN users on ASA. I can use the ASA as the CA to
issue the cert and manage the cert. Is that correct? I wouldn't need
additional CA server or external CA to purchase certs from? Does it
work with both IPSec and Anyconnect clients?
Anyone have a good configuration example or URL that goes over it?
If I had a spare ASA, I will just test it out and see how it works but
I don't have a spare right now.
The background :
My client is a small 3 person tech company that needs more than just
pre-shared key and xauth to VPN in because of the sensitive
information they store. But don't have the budget nor resources to
keep up the current RSA SecureID server which is a bit overkill for
them. They thought certificate based auth will be not as good as
SecureID but better than just user/pass.
Any help will be appreciated.
Thanks!
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list