PIX 525 does not authenticate Windows 2000 CA

PIX 525 does not authenticate Windows 2000 CA

Post by Michel Ad » Fri, 23 Jan 2004 01:54:10



I've setup a Windows 2000 CA and installed MSCEP from Ressource Kit.

Here's my config :

ca identity cavpn <IP_Address_of-ca>:/certsrv/mscep/mscep.dll
ca configure cavpn ra 1 20 crlopt

when I try ca auth cavpn nothing occurs, I don't get CA certificate .

Heres an outout from debug packet :

PIX525(config)# ca auth ravpn

--------- PACKET ----------IP --
<PIX IP ADDRESS>   ==>     <CA IP ADDRESS>

        ver = 0x4       hlen = 0x5      tos = 0x0       tlen = 0x81
        id = 0x8902     flags = 0x0     frag off=0x0
        ttl = 0xff      proto=0x6       chksum = 0xe3e

        -- TCP --
                source port = 0x422     dest port = 0x50ack psh

                seq = 0x42051996
                ack = 0x2e9b0773
                hlen = 0x5              window = 0x1000
                checksum = 0x53c8       urg = 0x0
        -- DATA --
                00000028: 47 45 54 20 2f 63 65 72 74 73 72 76 2f 6d 73
63  |  GE
T /certsrv/msc
                00000038: 65 70 2f 6d 73 63 65 70 2e 64 6c 6c 2f 70 6b
69  |  ep
/mscep.dll/pki
                00000048: 63 6c 69 65 6e 74 2e 65 78 65 3f 6f 70 65 72
61  |  cl
ient.exe?opera
                00000058: 74 69 6f 6e 3d 47 65 74 43 41 43 65 72 74 26
6d  |  ti
on=GetCACert&m
PIX525(config)# --------- PACKET ---------

-- IP --
<CA IP ADDRESS>    ==>     <PIX IP ADDRESS>

        ver = 0x4       hlen = 0x5      tos = 0x0       tlen = 0x126
        id = 0x1157     flags = 0x40    frag off=0x0
        ttl = 0x7f      proto=0x6       chksum = 0xc544

        -- TCP --
                source port = 0x50      dest port = 0x422ack psh

                seq = 0x2e9b0773
                ack = 0x420519ef
                hlen = 0x5              window = 0x4417
                checksum = 0x59fd       urg = 0x0
        -- DATA --
                00000020:                         48 54 54 50 2f 31 2e
31  |
      HTTP/1.1
                00000030: 20 34 30 34 20 4f 62 6a 65 63 74 20 4e 6f 74
20  |   4
04 Object Not
                00000040: 46 6f 75 6e 64 0d 0a 53 65 72 76 65 72 3a 20
4d  |  Fo
und..Server: M
                00000050: 69 63 72 6f 73 6f 66 74 2d 49 49 53 2f 35 2e
30  |  ic
rosoft-IIS/5.0
                00000060: 0d 0a 44 61 74 65 3a 20 57 65 64 2c 20 32 31
20  |  ..
Date: Wed, 21
                00000070: 4a 61 6e 20 32 30 30 34 20 31 36 3a 34 39 3a
32  |  Ja
n 2004 16:49:2
                00000080: 30 20 47 4d 54 0d 0a 43 6f 6e 74 65 6e 74 2d
54  |  0
GM

 and an output of debug crypto ca

CRYPTO_PKI: status = 266: failed to verify
CRYPTO_PKI: transaction GetCACert completed
Crypto CA thread sleeps!

I tried, from Internet explorer to reach the URL :

http://CA_IP_ADDRESS/certsrv/mscep/mscep.dll/pkiclient.exe?operation=...

I Get the CA Certificate !

Any help will be welcome ..

Thank you

 
 
 

PIX 525 does not authenticate Windows 2000 CA

Post by Richard Sanderso » Fri, 23 Jan 2004 05:11:54


Hi,

Have you set the CA to automaticly issue a cert ?, I think I had to do
this to get it to work.

Rich


Quote:>I've setup a Windows 2000 CA and installed MSCEP from Ressource Kit.

>Here's my config :

>ca identity cavpn <IP_Address_of-ca>:/certsrv/mscep/mscep.dll
>ca configure cavpn ra 1 20 crlopt

>when I try ca auth cavpn nothing occurs, I don't get CA certificate .

>Heres an outout from debug packet :

>PIX525(config)# ca auth ravpn

>--------- PACKET ----------IP --
><PIX IP ADDRESS>   ==>     <CA IP ADDRESS>

>        ver = 0x4       hlen = 0x5      tos = 0x0       tlen = 0x81
>        id = 0x8902     flags = 0x0     frag off=0x0
>        ttl = 0xff      proto=0x6       chksum = 0xe3e

>        -- TCP --
>                source port = 0x422     dest port = 0x50ack psh

>                seq = 0x42051996
>                ack = 0x2e9b0773
>                hlen = 0x5              window = 0x1000
>                checksum = 0x53c8       urg = 0x0
>        -- DATA --
>                00000028: 47 45 54 20 2f 63 65 72 74 73 72 76 2f 6d 73
>63  |  GE
>T /certsrv/msc
>                00000038: 65 70 2f 6d 73 63 65 70 2e 64 6c 6c 2f 70 6b
>69  |  ep
>/mscep.dll/pki
>                00000048: 63 6c 69 65 6e 74 2e 65 78 65 3f 6f 70 65 72
>61  |  cl
>ient.exe?opera
>                00000058: 74 69 6f 6e 3d 47 65 74 43 41 43 65 72 74 26
>6d  |  ti
>on=GetCACert&m
>PIX525(config)# --------- PACKET ---------

>-- IP --
><CA IP ADDRESS>    ==>     <PIX IP ADDRESS>

>        ver = 0x4       hlen = 0x5      tos = 0x0       tlen = 0x126
>        id = 0x1157     flags = 0x40    frag off=0x0
>        ttl = 0x7f      proto=0x6       chksum = 0xc544

>        -- TCP --
>                source port = 0x50      dest port = 0x422ack psh

>                seq = 0x2e9b0773
>                ack = 0x420519ef
>                hlen = 0x5              window = 0x4417
>                checksum = 0x59fd       urg = 0x0
>        -- DATA --
>                00000020:                         48 54 54 50 2f 31 2e
>31  |
>      HTTP/1.1
>                00000030: 20 34 30 34 20 4f 62 6a 65 63 74 20 4e 6f 74
>20  |   4
>04 Object Not
>                00000040: 46 6f 75 6e 64 0d 0a 53 65 72 76 65 72 3a 20
>4d  |  Fo
>und..Server: M
>                00000050: 69 63 72 6f 73 6f 66 74 2d 49 49 53 2f 35 2e
>30  |  ic
>rosoft-IIS/5.0
>                00000060: 0d 0a 44 61 74 65 3a 20 57 65 64 2c 20 32 31
>20  |  ..
>Date: Wed, 21
>                00000070: 4a 61 6e 20 32 30 30 34 20 31 36 3a 34 39 3a
>32  |  Ja
>n 2004 16:49:2
>                00000080: 30 20 47 4d 54 0d 0a 43 6f 6e 74 65 6e 74 2d
>54  |  0
>GM

> and an output of debug crypto ca

>CRYPTO_PKI: status = 266: failed to verify
>CRYPTO_PKI: transaction GetCACert completed
>Crypto CA thread sleeps!

>I tried, from Internet explorer to reach the URL :

>http://CA_IP_ADDRESS/certsrv/mscep/mscep.dll/pkiclient.exe?operation=...

>I Get the CA Certificate !

>Any help will be welcome ..

>Thank you


 
 
 

PIX 525 does not authenticate Windows 2000 CA

Post by Masud Re » Fri, 23 Jan 2004 23:43:52



> Hi,

> Have you set the CA to automaticly issue a cert ?, I think I had to do
> this to get it to work.

> Rich

Hi:

I do not think that setting the CA to automatically issue a
certificate is the correct answer to this particular problem.

In production, do you really want to issue certificate to ANY request
that you recieve from ANYwhere???

Check if you are using the correct cepsetup.exe file. One is for the
win2000 server and one is for win2003 server.

The command 'ca authenticate' is not supposed to get you a certificate
anyway. This command is for the authentication of your CA. You should
see the 'fingerprint' of the CA which is an MD5 hash of the CA Root
certificate. You are then supposed to compare this fingerprint with
the CA using an alternative method (getting the fingerprint via a
secure mechanism eg via https).

The ca enroll command will then make a request for the certificate and
successfully get you one if the rest of the configuration is ok.

Check out this URL (mind the wrap):

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_user_g...

Masud

 
 
 

1. PIX 515E and Windows 2003 CA Authenticate problem

Torston Stier posted this fault a couple of weeks ago, regarding issues
trying to get a PIX (6.3.3) to enroll with a MS 2003 CA using MSCEP. I'm
having exactly the same issues. Unfortunately I caught the post late and did
not catch any replies. Does anyone have any further details on this one

            Patrick...

2. My Ideal DSP

3. PIX 515E and Windows 2003 CA authenticate problem

4. Distribution of Imap4 servers

5. pix 515R and Windows 2000 server CA l2tp vpn with ipsec

6. SYS3161 with minstall: help!

7. 525 Pix is not roaming global ranges

8. Apartheid Zionist Thugs Shooting Journalists

9. PIX 525 and two PIX-4FE-66=

10. CISCO PIX 520 Vs. PIX 525

11. authenticate users on windows 2000 active directory

12. PIX VPN with Win 2000 CA

13. Windows 2000 Professional VPN to Windows 2000 Professional VPN