Re: Difference between CA RA and SCEP Proxy feature on the ASA from Sadiq Yakasai on 2012-03-27 (Ccielab archives 03/2012)

From: Sadiq Yakasai <sadiqtanko_at_gmail.com>
Date: Tue, 27 Mar 2012 18:40:24 +0100

Guys,

So I have done me some digging around and I just cant lay my fingers on a
definitive answer to me question above.

I understand that a CA RA has as its main function, to authenticate
certificate requests AND to make/forward that request to the CA server for
the certificate. It then returns that granted certificate back to the
client.

The new SCEP Proxy feature on the ASA, well, pretty much does the same
functionality! You configure the ASA firewall for SCEP Proxy and the
AnyConnect client tries to connect VPN to the ASA. The ASA authenticates
the client, and then if successful, requests a certificate from the CA on
bahalf of the client. The client then receives its certificate and
reconnects using that certificate back to the ASA for VPN.

Do both sound the same or what? Of course apart from the fact that SCEP
Proxy is specific to the ASA (for now?). I am hoping someone out here that
thinks yay or nay can sort me out here please!

Thanks as usual.

Sadiq

On Fri, Mar 23, 2012 at 5:55 PM, Sadiq Yakasai <sadiqtanko_at_gmail.com> wrote:

> Guys,
>
> So I have done me some digging around and I just cant lay my fingers on a
> definitive answer to me question above.
>
> I understand that a CA RA has as its main function, to authenticate
> certificate requests AND to make/forward that request to the CA server for
> the certificate. It then returns that granted certificate back to the
> client.
>
> The new SCEP Proxy feature on the ASA, well, pretty much does the same
> functionality! You configure the ASA firewall for SCEP Proxy and the
> AnyConnect client tries to connect VPN to the ASA. The ASA authenticates
> the client, and then if successful, requests a certificate from the CA on
> bahalf of the client. The client then receives its certificate and
> reconnects using that certificate back to the ASA for VPN.
>
> Do both sound the same or what? Of course apart from the fact that SCEP
> Proxy is specific to the ASA (for now?). I am hoping someone out here that
> thinks yay or nay can sort me out here please!
>
> Thanks as usual.
>
> Sadiq
>
> --
> CCIEx2 (R&S|Sec) #19963
>

-- 
CCIEx2 (R&S|Sec) #19963
Blogs and organic groups at http://www.ccie.net

Received on Tue Mar 27 2012 - 18:40:24 ART

This archive was generated by hypermail 2.2.0 : Sun Apr 01 2012 - 07:56:52 ART