Microsoft – NDES Site Shows ‘HTTP Error 500.0 – Internal Server Error’

KB ID 0001181

Problem

I was doing some testing for a client this week, a while ago I had deployed a three tier PKI solution for them, and as part of the rollout we deployed NDES for their network devices, (they were going to use certificates to secure site to site VPNs). The client was concerned, and wanted the auto renewal process testing. This could not be done on the live system. So myself and a colleague went to the test bench, I build a model off the three tier PKI, and then setup NDES, while my colleague did the comms/switches and routers.

When I was ready to go, he could not get any enrolments working with NDES. Troubleshooting NDES is usually a case of looking in event viewer, but the one check you can do is go to;

http://localhost/certsrv/mscep_admin

And I got this;

HTTP Error 500.0 – Internal Server Error
The page cannot be displayed because an internal server error has occurred.

The normal web enrolment site http://localhost/certsrv was up and working this was just NDES?

Solution

This took me a while, theres a ton of posts on this that suggest enabling local profiles logging in as the NDES service user, etc etc and non of them fixed the problem. 

This was happening to me because when NDES starts, the first thing it does is check its RA, (Registration Authority) certificate. It’s in the local computer certificate store if you want to look at it, (or you will find it in ‘issued certificates’ on the CA of course). 

Let’s take a look at that cert’s certificate chain;

You can see my three tier PKI solution, from the top, Offline Root > Intermediate CA (Sub CA) > Issuing CA (Sub CA) > My certificate.

But if I take a look in the CRL location (General Tab > Certificate Revocation  Information). I found the following;

What my clients see via http

For the un-initiated these are CRL files, the ones with a ‘+’ on the end are ‘delta url files’, (but that’s not important here). What is important is there is no CRL for my offline root CA in there. Luckily I had it on a disk, if you don’t you will have to bring the offline root CA online (turn it on). Then get a copy of the CRL. You can normally find it in C:\Windows\System32\Certsrv. If yours is not there, open ‘Certificate Services Management’ > Revoked certificates  > Publish.

Simply copy the CRL file into the CRL location;

Then I rebooted the NDES Server, (I could probably have restarted certsvc and IIS, but let’s be thorough). And the system burst into life.

Related Articles, References, Credits, or External Links

Windows Server 2012 – Install and Configure NDES

Cisco – Automatic Re-enrollment Fails to MSCEP/NDES

Cisco ASA – Enrolling for Certificates with NDES

Cisco IOS – Enrolling for Certificates with NDES

NDES – Fails to Issue Certificates (Signature Algorithm)

Event ID 53 – ‘The public key does not meet the minimum size required by the specified certificate template’

KB ID 0000967 

Problem

I’ve been doing a lot of PKI work over the last few days, testing device enrollment and NDES etc, and came across this problem being logged on my issuing/subordinate CA server;

Log Name: Application
Source: Microsoft-Windows-CertificationAuthority
Event ID: 53
Task Category: None
Level: Warning
Keywords:
User: SYSTEM
Description:
Active Directory Certificate Services denied request 35 because The public key does not meet the minimum size required by the specified certificate template. 0x80094811 (-2146875375 CERTSRV_E_KEY_LENGTH). The request was for SERIALNUMBER=4279256517 + OID.1.2.840.113549.1.9.2="sprugal.testbench.local ". Additional information: Denied by Policy Module Resubmitted by TESTBENCHAdministrator

Solution

In addition on the server itself in the Certification Authority Management console, under failed requests, it was showing the same error;

By default the certificate that NDES / MSCEP used as a template for your network devices is called ‘IPSec (Offline request)’ I’ve cloned that and made my own called NDESTemplate, but if you take a look on the Cryptography tab you can see that the minimum key size is set to 1024.

The network devices that are attempting to enroll with my server must have a key-length that is shorter, how can you tell? Well my devices are all Cisco ones (Routers and Firewalls). The Cisco ASA will tell you what key length is uses, but there is no command in router IOS to let me know. However if you use Putty and open an SSH session to the device it will tell you.

In the example below, the key length on this device is 2048 so that should be fine;

But this one is only 768 bits long! This device would generate the sort of errors I’m seeing on my Windows server.

So how do you fix the problem on the device, if you have not got your trustpoint setup then simply issue the following commands;

[box]

R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#crypto key zeroize rsa
% All RSA keys will be removed.
% All router certs issued using these keys will also be removed.
Do you really want to remove these keys? [yes/no]: yes
R1(config)#
*Jul 11 14:26:50.619: %SSH-5-DISABLED: SSH 1.99 has been disabled
R1(config)#

[/box]

If you have setup a trustpoint, simply remove the trustpoint and it removes all the keys

[box]

R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#no crypto pki trustpoint PNL-TRUSTPOINT
NOTE YOUR TRUSTPOINT WILL HAVE A DIFFERENT NAME!!

% Removing an enrolled trustpoint will destroy all certificates
received from the related Certificate Authority.

Are you sure you want to do this? [yes/no]: yes
% Be sure to ask the CA administrator to revoke your certificates.

No enrollment sessions are currently active.

R1(config)#

[/box]

Related Articles, References, Credits, or External Links

NA

NDES – Fails to Issue Certificates (Signature Algorithm)

KB ID 0001021 

Problem

I was trying to enroll some ASA firewalls to NDES to get some certificates. Each time the process failed with the following error.

[box]

% Error in receiving Certificate Authority certificate: status = FAIL, cert length = 0[/box]

That’s a pretty generic error, and does not give me a lot to go on. So I thought I would try from another network device, (a Cisco Catalyst switch). It’s a little easier to ‘debug’ the process in IOS rather than on the ASA, so that’s what I did.

 

[box]

Enable NDES Debugging 

Petes-Router# debug crypto pki messages
Crypto PKI Msg debugging is on
Petes-Router# debug crypto pki transactions
Crypto PKI Trans debugging is on
Petes-Router#

[/box]

The switch failed with the same error as the firewall but at least now I had some debugging information.

[box]

Petes-Router# show logg

Jan 4 10:31:11.818: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/21, 
changed state to up
Jan 4 10:32:40.648: CRYPTO_PKI: pki request queued properly
Jan 4 10:32:40.648: CRYPTO_PKI: Sending CA Certificate Request:
GET /CertSrv/mscep/mscep.dll/pkiclient.exe?operation=GetCACert&message=PNL-Trustpoint HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)
Host: 192.168.1.100

Jan 4 10:32:40.648: CRYPTO_PKI: locked trustpoint PNL-Trustpoint, refcount is 1
Jan 4 10:32:40.656: CRYPTO_PKI: http connection opened
Jan 4 10:32:40.656: CRYPTO_PKI: Sending HTTP message

Jan 4 10:32:40.656: CRYPTO_PKI: Reply HTTP header:
HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)
Host: 192.168.1.100

Jan 4 10:32:40.656: CRYPTO_PKI: unlocked trustpoint PNL-Trustpoint, refcount is 0
Jan 4 10:32:40.656: CRYPTO_PKI: locked trustpoint PNL-Trustpoint, refcount is 1
Jan 4 10:32:40.673: CRYPTO_PKI: unlocked trustpoint PNL-Trustpoint, refcount is 0
Jan 4 10:32:40.673: CRYPTO_PKI: Reply HTTP header:
HTTP/1.1 200 OK
Content-Length: 7946
Content-Type: application/x-x509-ca-ra-cert
Server: Microsoft-IIS/8.5
Date: Wed, 07 Jan 2015 10:30:36 GMT
Connection: close

Content-Type indicates we have received CA and RA certificates.

Jan 4 10:32:40.673: CRYPTO_PKI:crypto_process_ca_ra_cert(trustpoint=PNL-Trustpoint)

Jan 4 10:32:40.673: CRYPTO_PKI: status = 0x722(E_SIGNATURE_ALG_NOT_SUPPORTED : 
signature algorithm not supported): crypto_certc_pkcs7_extract_certs_and_crls failed
Jan 4 10:32:40.673: CRYPTO_PKI: status = 0x722(E_SIGNATURE_ALG_NOT_SUPPORTED : 
signature algorithm not supported): crypto_pkcs7_extract_ca_cert returned
Jan 4 10:32:40.673: CRYPTO_PKI: Unable to read CA/RA certificates.
Jan 4 10:32:40.673: %PKI-3-GETCARACERT: Failed to receive RA/CA certificates.
Jan 4 10:32:40.673: CRYPTO_PKI: transaction GetCACert completed
Petes-Router#
[/box]

So we are getting the CA cert and the RA cert from the NDES server but we can’t read them.

Here’s the slightly less descriptive debug from the ASA firewall.

[box]
Petes-ASA(config)# debug crypto ca transactions
Petes-ASA(config)# crypto ca authenticate PNL-Trustpoint

ERROR: receiving Certificate Authority certificate: status = FAIL, cert length = 0
Petes-ASA(config)# show logg
crypto_certc_pkcs7_extract_certs_and_crls failed (1826):
crypto_certc_pkcs7_extract_certs_and_crls failed
CRYPTO_PKI:crypto_pkcs7_extract_ca_cert returned 1826

Petes-ASA(config)#
[/box]

Solution

I really struggled with this one, the bottom line is the Cisco device can’t read the certificates, and the reason it can’t is actually shown above;

E_SIGNATURE_ALG_NOT_SUPPORTED

What this is telling us is that the signature algorithm that Windows Certificate Services is using can not be understood by the Cisco network devices. At first I thought It might be because I was using Windows Server 2012 R2, and it might have some new security feature.

So I built a test Server in VMware Workstation, and presented an ASA and router to it from GNS3 and it worked first time, (annoyingly). When I looked at the certificates and compared them, and took into account the debug above, I spotted the difference.

If the signature algorithm is set to sha1RSA, it works if it’s set to RSASSA-PSS it fails. To compound my problem even further I have a three tier PKI deployment with an offline root, intermediate (Sub CA), and an issuing CA (Sub CA). And the signature algorithm needs to be correct for EVERY CERTFICIATE IN THE CERTIFICATE PATH (CHAIN).

Why Has This Happened?

Basically when the offline root was created, I followed the instructions for deploying an offline CA as per the instructions on Technet. Before you even install the role, Microsoft recommend you create a CApolicy.inf file with the following line in it;

[box]AlternateSignatureAlgorithm=1[/box]

I says that this signature algorithm is more secure, but it’s not compatible with Windows XP. What IT DOES NOT SAY, is it’s incompatible with Cisco devices wanting to get certificates from NDES!

Note: Executing the following command also enables this;

[box]

Certutil -setreg CAcspAlternateSignatureAlgorithm 1

[/box]

What this does is change a registry key, you can revert back by carrying out the following steps;

1. Open regedit and Navigate to;

[box]HKEY_LOCAL_MACHINE >SYSTEM > CurrentControlSet > Services > CertSvc > Configuration > {SERVER-NAME} > CSP[/box]

2. Locate the AlternateSignatureAlgorithm value and change it to 0 (zero).

3. Open a command windows as administrator > Restart certificate services.

From this point forward, all new certificates issued by this CA will use the older signature algorithm. So if you renew the CA Certificate the new one will be fine.

WARNING: When renewing the CA Cert MAKE SURE YOU DO NOT generate new keys (or previously issued certificates may stop working!)

If you only have one certificate server you can then simply remove NDES.

Then delete the RA certificates used for NDES.

When NDES is reinstalled the new RA certs will use the correct signature algorithm.

What If You Have a Two or Three Tier PKI Deployment

If like me you have a multi tiered PKI deployment, you need to go all the way back to the Root CA > Fix that > Reissue all the Sub CA certs down the certificate path fixing each tier as you go.

Here’s the process I used, (Use at you own risk and I accept no responsibility if you trash your PKI environment).

Related Articles, References, Credits, or External Links

NA

Cisco – Automatic Re-enrollment Fails to MSCEP/NDES

KB ID 0000970

Problem

I’ve covered setting up NDES at length in the past, but what happens when your issued certificates expire? If you are using them for all your VPNs what then? Well thankfully you can get your devices to automatically re-enroll and before they expire, for example to renew the cert at 80% of its lifetime you would use the following;

[box]

crypto pki trustpoint PNL-TRUSTPOINT
enrollment url http://123.123.123.130/CertSrv/mscep/mscep.dll
usage ike
serial-number
ip-address 123.123.123.90
enrollment mode ra
revocation-check none
enrollment retry count 100
enrollment retry period 5
fqdn RTR2hr.testbench.local
rsakeypair PNL-TRUSTPOINT 2048
auto-enroll 80 regenerate

[/box]

However, there is a problem, if you are using Server 2008 there’s a hot-fix (and you need to make the following change as well) I’m on Server 2012 and mine was failing.

Solution

1. On the server running the NDES Server role > Open the registry editor and navigate to;

[box]
HKEY_LOCAL_MACHINESoftwareMicrosoftCryptographyMSCEP
[/box]

Create a new 32bit DWORD Value called DisableRenewalSubjectNameMatch and set its value to 1 (one).

2. Also ensure the certificate that you are using or NDES, has the following settings, here I’m using a custom template called NDESTemplete, If you are using the default one it will be called ‘IPSec (Offline request)‘. On the Subject Name tab make sure ‘Supply in the request’ is selected.

3. On the ‘Issuance Requirements’ tab, ensure ‘CA certificate manager approval’ is NOT selected.

 

Related Articles, References, Credits, or External Links

NA

Event ID 29

KB ID 0001032 

Problem

Seen on a Microsoft Certificate Services server running NDES.

Log Name: Application
Source: Microsoft-Windows-NetworkDeviceEnrollmentService
Date: 04/02/2015 11:22:26
Event ID: 29
Task Category: None
Level: Error
Keywords:
User: PETENETLIVESVC_NDES
Computer: PNLPKI00v.petenetlive.com
Description:
The password in the certificate request cannot be verified. It may have been used already. Obtain a new password to submit with this request.

Solution

I got this error every time a network device tried to enroll with the NDES server. You are seeing this error because the NDES server is expecting the password that generated by visiting this url http://{hostname-of-NDES-Server}/Certsrv.mscep_admin.

Normally I disable the password requirement when I build NDES, this time I’d simply forgotten. To disable the password requirement, follow this process.

Related Articles, References, Credits, or External Links

NA

GNS3 – Routers Lose their Certificates When Restarted

KB ID 0000955 

Problem

I was doing some work with PKI and routers today, and after spending ages enrolling all my routers for certificates, I thought I’d save my hard work and return to it later. When I started the project up again, I was less than happy all the devices certificates had ‘Disappeared’!

Solution

This is default behavior, to change this select Edit > Preferences > Dynamips > Locate ‘Automatically clean the working directory’ and DESELECT it > Apply >OK.

Related Articles, References, Credits, or External Links

NA

Cisco IOS – Enrolling for Certificates with NDES

KB ID 0000948

Problem

To get your Cisco Router or Switch to enroll, and obtain a certificate from a Windows Server running NDES, this is the procedure you need to follow.

Solution

When dealing with certificates, it’s important that your device is maintaining the correct time. You can set this manually, but I’d recommend setting up NTP.

Setting IOS Time (Manually and via NTP)

1. Choose either of the options below, (as applicable). Note: I’m in the UK so my time is GMT, and I need to allow for daylight saving time, (so your settings ma vary depending on your locale).

[box]

Setting Time Manually

Petes-RTR(config)#clock timezone GMT 0
Petes-RTR(config)#clock summer-time BST recurring last Sunday March 01:00 last Sunday October 01:00
Petes-RTR(config)#exit
Petes-RTR#clock set 10:47:00 Apr 30 2014
Petes-RTR#show clock
10:47:05.499 BST Wed Apr 30 2014
Petes-RTR#

Setting Time via NTP

Petes-RTR#show clock
*15:36:38.383 PCTime Mon Feb 16 2009
Petes-RTR#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Petes-RTR(config)#ntp server 87.124.126.49
APPLY THE 'CUP Of COFFEE RULE'

Petes-RTR#show clock
10:09:52.437 PCTime Wed Apr 30 2014
Petes-RTR#

[/box]

Enrolling via NDES

1. Make sure the device can contact the NDES server, (simply pinging it should suffice). Then set a hostname and domain name. These are required to generate an RSA Key-pair on the device before we start.

[box]

R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#hostname RTR-1
RTR-1(config)#ip domain-name testbench.local
RTR-1(config)#crypto key generate rsa modulus 2048
The name for the keys will be: RTR-1.testbench.local

% The key modulus size is 2048 bits
% Generating 2048 bit RSA keys, keys will be non-exportable...[OK]

RTR-1(config)#
*Mar 1 01:01:47.491: %SSH-5-ENABLED: SSH 1.99 has been enabled

[/box]

2. Create a set of CA settings (a trustpoint), then authenticate to it.

[box]

RTR-1(config)#crypto pki trustpoint PNL-TRUSTPOINT
RTR-1(ca-trustpoint)# enrollment url http://192.168.80.130/CertSrv/mscep/mscep.dll
RTR-1(ca-trustpoint)#enrollment mode ra
RTR-1(ca-trustpoint)#revocation-check crl
RTR-1(ca-trustpoint)#enrollment retry count 3
RTR-1(ca-trustpoint)#enrollment retry period 5
RTR-1(ca-trustpoint)#fqdn RTR-1.testbench.local

RTR-1(ca-trustpoint)#exit
RTR-1(config)#crypto pki authenticate PNL-TRUSTPOINT
Certificate has the following attributes:
Fingerprint MD5: 0454B8F4 73374DE8 2FB034CB B887B1D4
Fingerprint SHA1: 2A542238 0CF3856B D0EF3E1A CBB57003 21C114F5

% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
RTR-1(config)#
[/box]

3. If your NDES Server requires a password you can embed that.

NDES Server Removing or Enforcing Passwords

If you require a password you can obtain it from the NDES Server using the following URL.

http://{IP-or-name-of-NDES-server}/CertSrv/mscep_admin

This is the password you need to enter.

If it looks like (below), then password enforcement has been disabled, and you can skip the next step.

[box]

Firewall(config)# crypto ca trustpoint PNL-TRUSTPOINT
Firewall(config-ca-trustpoint)# password 24033E4BFF217D60[/box]

4. Enroll for a certificate.

[box]

RTR-1(config)#crypto pki enroll PNL-TRUSTPOINT
%
% Start certificate enrollment ..

% The subject name in the certificate will include: RTR-1.testbench.local
% Include the router serial number in the subject name? [yes/no]: yes
% The serial number in the certificate will be: FTX0945W0MY
% Include an IP address in the subject name? [no]: no
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The 'show crypto ca certificate PNL-TRUSTPOINT verbose' commandwill show the fingerprint.

RTR-1(config)#
May 14 10:46:46.479: CRYPTO_PKI: Certificate Request Fingerprint MD5: 25E06B18 2BF6E2B7 780AA427 89AB9A15
May 14 10:46:46.483: CRYPTO_PKI: Certificate Request Fingerprint SHA1: 044725E7 B34F6AF8 EFB4C28B 8E7CE192 230BDC9E
RTR-1(config)#
May 14 10:46:47.875: %PKI-6-CERTRET: Certificate received from Certificate Authority
RTR-1(config)#

[/box]

5. If you have a look on the Certificate Server you will also see that the certificate has been issued.

Oh Crap! It went wrong?

Possible errors you might see;

Error 1

[box]

RTR-1(config)#crypto key generate rsa modulus 2048
% Please define a domain-name first.

[/box]

To be honest, it couldn’t be more descriptive! You can’t generate an RSA key-pair without a hostname, and a domain name.

[box]

R1(config)#hostname RTR-1 RTR-1(config)#ip domain-name testbench.local[/box]

Error 2

[box]

RTR-1(config)#crypto pki authenticate PNL-TRUSTPOINT
% Error in saving certificate: status = FAIL

RTR-1(config)#%CRYPTO_PKI: Cert not yet valid or is expired -
start date: 13:18:46 UTC May 12 2014
end date: 13:28:46 UTC May 12 2019

[/box]

Certificates are time specific, make sure the device has its clock set correctly, (preferably via NTP). And the time on the Certificate Services Server is set correctly.

Windows – Setting Domain Time

Remember: We set the device to check the Certificate Servers CRL, make sure that’s setup properly, and the device can resolve its name.

Windows Certificate Services – Setting up a CRL

Related Articles, References, Credits, or External Links

Windows Server 2012 – Install and Configure NDES

 

Cisco ASA – Enrolling for Certificates with NDES

KB ID 0000948

Problem

To get your ASA 5500 firewall to enroll, and obtain a certificate from a Windows Server running NDES, this is the procedure you need to follow.

Solution

When dealing with certificates, it’s important that your firewall is maintaining the correct time. You can set this manually, but I’d recommend setting up NTP.

Cisco ASA – Configuring for NTP

1. Make sure the firewall can contact the NDES server, below I ping its IP address (192.168.1.10) . Then set a hostname and domain name for the firewall. These are required to generate an RSA Key-pair on the firewall before we start.

[box]

Petes-ASA# ping 192.168.1.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.80.130, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
Petes-ASA# configure terminal
Petes-ASA(config)# hostname Firewall
Firewall(config)# domain-name testbench.local
Firewall(config)# crypto key generate rsa modulus 2048
INFO: The name for the keys will be: <Default-RSA-Key>
Keypair generation process begin. Please wait...
Firewall(config)#

[/box]

2. Create a set of CA settings (a trustpoint), then authenticate to it.

[box]

Firewall(config)# crypto ca trustpoint PNL-TRUSTPOINT
Firewall(config-ca-trustpoint)# enrollment url http://192.168.1.10/CertSrv/mscep/mscep.dll
Firewall(config-ca-trustpoint)# revocation-check crl
Firewall(config-ca-trustpoint)# enrollment retry count 3
Firewall(config-ca-trustpoint)# enrollment retry period 5
Firewall(config-ca-trustpoint)# fqdn Firewall.testbench.local
Firewall(config-ca-trustpoint)# crypto ca authenticate PNL-TRUSTPOINT

INFO: Certificate has the following attributes:
Fingerprint: 0454b8f4 73374de8 2fb034cb b887b1d4
Do you accept this certificate? [yes/no]: yes

Trustpoint CA certificate accepted.

[/box]

3. If your NDES Server requires a password you can embed that.

NDES Server Removing or Enforcing Passwords

If you require a password you can obtain it from the NDES Server using the following URL.

http://{IP-or-name-of-NDES-server}/CertSrv/mscep_admin

This is the password you need to enter.

If it looks like (below), then password enforcement has been disabled, and you can skip the next step.

[box]

 Firewall(config)# crypto ca trustpoint PNL-TRUSTPOINT
Firewall(config-ca-trustpoint)# password EC4C68382A504339

[/box]

4. Enroll for a certificate.

[box]

Firewall(config)# crypto ca enroll PNL-TRUSTPOINT
%
% Start certificate enrollment ..

IF YOU SUPPLIED A PASSWORD YOU WILL NOT BE ASKED THE FOLLOWING
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password: ********
Re-enter password: ********

% The fully-qualified domain name in the certificate will be: Firewall.testbench.local

% Include the device serial number in the subject name? [yes/no]: yes

% The serial number in the certificate will be: 123456789AB

Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
Firewall(config)# The certificate has been granted by CA!

Firewall(config)#

[/box]

5. If you have a look on the Certificate Server you will also see that the certificate has been issued.

Remember: We set the device to check the Certificate Servers CRL, make sure that’s setup properly, and the device can resolve its name.

Windows Certificate Services – Setting up a CRL

Related Articles, References, Credits, or External Links

Windows Server 2012 – Install and Configure NDES

 

Cisco AnyConnect – Securing with Microsoft Certificate Services

Part 2 (How to Configure AnyConnect)

KB ID 0001031

Problem

Back in Part 1 We configured the Microsoft Certificate Services to meet our certificate needs. Now we configure the firewall for AnyConnect.

Solution

1. Log onto the ASA > Go to global configuration Mode.

[box]

login as: petelong
petelong@192.168.100.1's password:**********
Type help or '?' for a list of available commands.
Petes-ASA> enable
Password: *******
Petes-ASA# configure terminal
Petes-ASA(config)#

[/box]

2. Enable domain DNS Lookup inside, (for CRL lookups).

[box]

Petes-ASA(config)# dns domain-lookup inside
Petes-ASA(config)# dns server-group DefaultDNS
Petes-ASA(config-dns-server-group)# name-server 192.168.1.10
Petes-ASA(config-dns-server-group)# exit
Petes-ASA(config)#

[/box]

3. Enable NTP Time sync (here I’m using an external IP in the UK).

[box]

Petes-ASA(config)# ntp server 130.88.212.143 source outside

[/box]

4. Copy over AnyConnect Image, from a TFTP server.

[box]

Petes-ASA(config)# copy tftp flash

Address or name of remote host [] 192.168.100.10

Source filename [] anyconnect-win-3.1.06079-k9.pkg

Destination filename [anyconnect-win-3.1.06079-k9.pkg]{Enter}

Accessing tftp://192.168.100.10/anyconnect-win-3.1.06079-k9.pkg...!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Writing file disk0:/anyconnect-win-3.1.06079-k9.pkg...
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

37984585 bytes copied in 69.650 secs (550501 bytes/sec)

[/box]

5. Setup AnyConnect, Ive covered this before here if you want to know what all these commands are for.

[box]

Petes-ASA(config)# ip local pool AnyConnect-Pool 172.16.1.1-172.16.1.254 mask 255.255.255.0
Petes-ASA(config)# object network Obj-AnyConnect-Subnet
Petes-ASA(config-network-object)# subnet 172.16.1.0 255.255.255.0
Petes-ASA(config-network-object)# exit
Petes-ASA(config)# webvpn
Petes-ASA(config-webvpn)# enable outside
INFO: WebVPN and DTLS are enabled on 'outside'.
Petes-ASA(config-webvpn)# tunnel-group-list enable
Petes-ASA(config-webvpn)# anyconnect image disk0:/anyconnect-win-3.1.06079-k9.pkg
Petes-ASA(config-webvpn)# anyconnect enable
Petes-ASA(config-webvpn)# exit
Petes-ASA(config)# username testuser password Password1
Petes-ASA(config)# access-list Split-Tunnel permit 192.168.100.0 255.255.255.0
Petes-ASA(config)# group-policy AnyConnectProfile internal
Petes-ASA(config)# group-policy AnyConnectProfile attributes
Petes-ASA(config-group-policy)# vpn-tunnel-protocol ssl-client
Petes-ASA(config-group-policy)# dns-server value 192.168.100.10
Petes-ASA(config-group-policy)# wins-server none
Petes-ASA(config-group-policy)# split-tunnel-policy tunnelspecified
Petes-ASA(config-group-policy)# split-tunnel-network-list value Split-Tunnel
Petes-ASA(config-group-policy)# default-domain value petenetlive.com
Petes-ASA(config-group-policy)# exit
Petes-ASA(config)# tunnel-group AnyConnectProfile type remote-access
Petes-ASA(config)# tunnel-group AnyConnectProfile general-attributes
Petes-ASA(config-tunnel-general)# default-group-policy AnyConnectProfile
Petes-ASA(config-tunnel-general)# address-pool AnyConnect-Pool
Petes-ASA(config-tunnel-general)# tunnel-group AnyConnectProfile webvpn-attributes
Petes-ASA(config-tunnel-webvpn)# group-alias AnyConnectProfile enable
Petes-ASA(config-tunnel-webvpn)# exit
Petes-ASA(config)# nat (inside,outside) 2 source static any any destination static Subnet Obj-AnyConnect-Subnet no-proxy-arp route-lookup

[/box]

6. Set the ASA to get a cert from NDES, start by generating an RSA key pair.

[box]

Petes-ASA(config)# crypto key generate rsa label PNL-Key modulus 2048 noconfirm

[/box]

7. Setup a certificate Trustpoint (Note: mine checks CRL’s, if you do the same make sure your PKI deployment has CRL locations setup and configured properly).

[box]

Petes-ASA(config)# crypto ca trustpoint PNL-Trustpoint
Petes-ASA(config-ca-trustpoint)# enrollment url http://192.168.100.11/certsrv/mscep/mscep.dll
Petes-ASA(config-ca-trustpoint)# revocation-check crl
Petes-ASA(config-ca-trustpoint)# keypair PNL-Key
Petes-ASA(config-ca-trustpoint)# id-usage ssl-ipsec
Petes-ASA(config-ca-trustpoint)# enrollment retry count 3
Petes-ASA(config-ca-trustpoint)# enrollment retry period 5
Petes-ASA(config-ca-trustpoint)# fqdn vpn.petenetlive.com
Petes-ASA(config-ca-trustpoint)# CN=vpn.petenetlive.com,OU=IS,O=PeteNetLive,
C=GB,St=Teesside,L=Middlesbrough,EA=pl@petenetlive.com

[/box]

8. Get your CA Certificate from NDES (Note: If you have multiple issuing servers then you may need to manually import the CA certs for them later, or some clients will work, and others wont depending on which issuing CA servers issued the computer or user certificates! Good luck troubleshooting that if you forget!)

[box]

Petes-ASA(config-ca-trustpoint)# crypto ca authenticate PNL-Trustpoint 

 

INFO: Certificate has the following attributes:
Fingerprint: cc528d62 112a5704 bd444535 53353d0e
Do you accept this certificate? [yes/no]: yes

Trustpoint CA certificate accepted.
Petes-ASA(config)#

[/box]

9. Get the Identity Certificate for the ASA (this will be created from either the ‘IPSEC (Offline request)’ template), or your custom one if you changed it.

[box]

Petes-ASA(config)# crypto ca enroll PNL-Trustpoint

Would you like to continue with this enrollment? [yes/no]: yes
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password: ********
Re-enter password: ********

% The subject name in the certificate will be: CN=vpn.petenetlive.com,OU=IS,O=Pe teNetLive,C=GB,St=Teesside,L=Middlesbrough,EA=pl@petenetlive.com

% The fully-qualified domain name in the certificate will be: vpn.petenetlive.com

% Include the device serial number in the subject name? [yes/no]: no

Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
Petes-ASA(config)#

[/box]

10. You can take a look on your running config and you should not see two certificates (big blocks of hex code). Or simply go to the Certificate Services server and see if the cert was issued.

Or you can look in the ASDM.

11. Enable the cert on the outside interface.

[box]Petes-ASA(config)# ssl encryption rc4-sha1 dhe-aes128-sha1 dhe-aes256-sha1 aes$
Petes-ASA(config)# ssl trust-point PNL-Trustpoint outside[/box]

12. Finally change the AnyConnect profile to now use certificate authentication.

[box]

Petes-ASA(config)# tunnel-group AnyConnectProfile webvpn-attributes
Petes-ASA(config-tunnel-webvpn)# authentication certificate
Petes-ASA(config-tunnel-webvpn)# exit

[/box]

13. Don’t forget to save the changes.

[box]

Petes-ASA(config)# write mem
Building configuration...
Cryptochecksum: 063a55a7 0ddf34dd a80373cd 0bc5e269

11299 bytes copied in 1.330 secs (11299 bytes/sec)
[OK]
Petes-ASA(config)#

[/box]

14. Take a client with the correct certificates on to an external Internet connection and test.

15. To make the connection seamless (without any user intervention), add a group-url, and disable ‘tunnel-group-list’.

[box]

Petes-ASA(config)# tunnel-group AnyConnectProfile webvpn-attributes
Petes-ASA(config-tunnel-webvpn)# group-url https://vpn.petenetlive.com enable
Petes-ASA(config)# webvpn
Petes-ASA(config-webvpn)# no tunnel-group-list enable

[/box]

AnyConnect Client Profiles

Now if you have been following along from the beginning, you will remember my client wants an ‘always on’ connection, and they want to allow ‘local LAN‘ access to the remote client. This is done by configuring an ‘AnyConnect Client Profile’. This has to be done from the ASDM.

Open the ASDM and navigate to Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Client Profile > Add > Name the profile and assign it to your AnyConnect Group Policy.

Note: Here is where you specify ‘always on’.

Note: If you cannot see this option make sure you have an AnyConnect software package loaded into the firewall.

You can now select and open this profile, and a separate profile editor window will open, where you can allow LAN access, specify reconnect, and get the connection to auto-connect.

Related Articles, References, Credits, or External Links

NA