Re: CA server not authenticating a Cisco PIX 501

From: David Cross [MS] (dcross@online.microsoft.com)
Date: 09/16/02 

From: "David Cross [MS]" <dcross@online.microsoft.com>
Date: Mon, 16 Sep 2002 06:06:27 -0700

IN Windows 2000, there is pretty much no config steps necessary on MSCEP -
it either works or doesn't. When you install the MSCEP, there is an HTML
help page that list all of the instructions we have for issuing a cert in
Win2K.

These might be some helpful links:

Cisco System's Simple Certificate Enrollment Protocol Whitepaper

http://www.cisco.com/warp/public/cc/pd/sqsw/tech/scep_wp.htm

KB article: Using Certificates for Windows 2000 and Cisco IOS VPN
Interoperation

http://support.microsoft.com/support/kb/articles/Q249/1/25.ASP

First configure and authenticate the root CA as a trusted-root.

The command you want to use on the router console:

SandBagger(config)#cry ca tru ms-root

SandBagger(ca-root)#root cep http://xxxxxxxx

SandBagger(ca-root)#cry ca auth ms-root

SandBagger(config)#cry ca id ms-sub

SandBagger(ca-identity)#enroll url http://xxxxxx

SandBagger(ca-identity)#enroll mode ra

SandBagger(ca-identity)#cry ca auth ms-sub

SandBagger(config)#cry ca enroll ms-sub 

--
David B. Cross [MS]
--
This posting is provided "AS IS" with no warranties, and confers no rights.
"Roger G" <r.grow***@kadasystems.com> wrote in message
news:12e4f01c25d77$8f8ae0d0$37ef2ecf@TKMSFTNGXA13...
> David,
>
>      I tried replying yesterday afternoon, but for some
> reason that reply doesn't show up.  Anyhow, I am using
> anEnterprise CA, but if I need to change that to a
> standalone, let me know.  Changing it is not a problem,
> since this is the only CA I have and am only using it for
> this Cisco VPN connection.
>      Can you either send me a link or tell me the correct
> way to issue a CEP certificate?  I am trying to piece the
> articles together that I have found and I'm really sure
> that I have missed something important.  At least that is
> my last thought.  Cisco has now duplicated my setup
> completely in their lab and it works fine, so I can only
> assume that the problem is with my CA.  Any other thoughts
> would be MUCH Appreciated!!
>
> Roger
>
> >-----Original Message-----
> >are you using a standalone CA or enterprise CA?
> >
> >In general, the cert you get from MSCEP when installed on
> a standalone CA
> >should always work for routers and VPN devices.
> >
> >--
> >
> >
> >David B. Cross [MS]
> >
> >--
> >This posting is provided "AS IS" with no warranties, and
> confers no rights.
> >
> >http://support.microsoft.com
> >
> >"Roger G" <r.grow***@kadasystems.com> wrote in message
> >news:1114201c25c02$6bfdf290$37ef2ecf@TKMSFTNGXA13...
> >> Yes,  once I found out I needed that installed as well.
> >> I think, and I'm probably wrong, that I haven't issued
> >> the correct certificate yet.  I've went through the
> steps
> >> several times but am still not sure.  Is there a special
> >> certificate just for Cisco use?  Such as a CEP?  If so,
> >> how do I issue that style?
> >>
> >> Roger
> >> >-----Original Message-----
> >> >Have you installed MSCEP on the Microsoft CA?
> >> >
> >> >--
> >> >
> >> >
> >> >David B. Cross [MS]
> >> >
> >> >--
> >> >This posting is provided "AS IS" with no warranties,
> and
> >> confers no rights.
> >> >
> >> >http://support.microsoft.com
> >> >
> >> >"Roger G" <r.grow***@kadasystems.com> wrote in message
> >> >news:1014701c25a96$45891080$3aef2ecf@TKMSFTNGXA09...
> >> >> I have been trying to get my Cisco Pix 501
> Firewall/VPN
> >> >> router to request a certificate from my Enterprise CA
> >> but
> >> >> it will not connect.  I have checked with Cisco, who
> >> put
> >> >> my cofiguration on a 501 in a lab setting and it
> worked
> >> >> fine.  I am running Server 2000.
> >> >>
> >> >> This is a new server and more than likely I don't
> have
> >> it
> >> >> configured correctly.  I have not been able to find
> >> >> complete steps in connecting a MS CA to a Cisco PIX
> on
> >> >> either the Microsoft or the Cisco websites.  Can
> >> someone
> >> >> PLEASE either tell me what I'm doing wrong, or send
> me
> >> a
> >> >> link to some complete instructions?  I have been
> >> working
> >> >> on the for the past week with NO success.
> >> >>
> >> >> Please help!  TIA
> >> >>
> >> >> Roger
> >> >
> >> >
> >> >.
> >> >
> >
> >
> >.
> >