Скачать презентацию
Идет загрузка презентации. Пожалуйста, подождите
1
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Lesson 6 Configure the Cisco VPN 3000 Series Concentrator for Remote Access Using Digital Certificates
2
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Objectives Upon completion of this lesson, you will be able to perform the following tasks: Explain the purpose of digital certificates. Generate a PKCS #10 for the Cisco VPN Client and Concentrator. Install certificates in the Cisco VPN Client and Concentrator. Explain how digital certificates are validated and maintained. Configure the Cisco VPN Client and Concentrator for certificate-based remote access.
3
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN CA Support Overview
4
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN CA Server Fulfilling Requests from IPSec Peers Each IPSec peer individually enrolls with the CA server. CA server
5
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Digital Signature Remote Internet Pay to Terry Smith $ One Hundred and xx/100 Dollars Pay to Terry Smith $ One Hundred and xx/100 Dollars 4ehIDx67NMop9 Hash algorithm Hash algorithm Encryption algorithm Encryption algorithm Hash Private key Local Decryption algorithm Decryption algorithm Hash Public key 4ehIDx67NMop9 Hash Match Pay to Terry Smith $ One Hundred and xx/100 Dollars
6
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Why Digital Certificates
7
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Certificate-Based Authentication CA trusted third party Request certificate Request certificate Issue certificates Digital certificates AlexTerry Alex Terry
8
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN CA CA responsibilities: Create certificates Administer certificates Revoke invalid certificates
9
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN PKI Root CA Subordinate CA Hierarchical Root CA Central Terry Pat Terry Pat Alex
10
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Certificate Generation
11
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Certificate Generation Process CA Generate certificate request MS CA Process request Generate certificate Install certificate Boston3 Training K Root Boston3 Generate certificate request Paris12 Training F Root Paris12 Install certificate
12
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Generating a Certificate Request Concentrator or PC CA PKCS #10 Digital certificate Hash algorithm Hash algorithm Encryption algorithm Encryption algorithm Hash CA private key PKCS #10 4ehIDx67NMop9 Lynn K Certificate: CA Inform- ation +
13
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Certificate Request Message PKCS #10
14
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Generating an Identity Certificate CA Hash algorithm Hash algorithm Encryption algorithm Encryption algorithm Hash CA private key 4ehIDx67NMop9 Lynn K Certificate: Concentrator or PC PKCS #10 Digital certificate PKCS #10 CA inform- ation
15
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Digital Certificates Digital certificates contain: Serial number Validity dates Issuer name Subject name Subject public key information CA signature
16
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Digital Certificate Encoding Digital certificate CA PC or Concentrator
17
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Install the Certificate CA Hash algorithm Hash algorithm Hash CAs private key PKCS#10 4ehIDx67NMop9 Lynn K Certificate: CA info + Concentrator or PC PKCS#10 Digital certificate Encryption algorithm Encryption algorithm
18
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Validating Certificates
19
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Certificate Validation Certificate validation: Is signed by a trusted CA Has not expired Has not been revoked
20
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Signature Validation Concentrator Internet Decryption algorithm Decryption algorithm Hash CA public key 4ehIDx67NMop9 Hash Match Root certificate Identity certificate 4ehIDx67NMop9 Encryption algorithm Encryption algorithm Hash CA private key CA Identity certificate Identity certificate 1 2
21
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Certification Chain Root certificate Subordinate CA certificate Hierarchical Terry Pat Alex Central Terry Pat Identity certificate Root certificate Identity certificate
22
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Validity Period
23
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN CRL List of revoked certificates signed by the CA Stored on the CA or CRL Distribution Point No requirement on devices to ensure that CRL is current Revoked Cert Cert Cert 22333
24
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN CRLGeneral
25
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN CRLRevocation List
26
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN CRL Distribution Point Location
27
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Certificate Authentication Process Load and validate identity certificate Exchange the identity certificates during IKE negotiations. Verify the identity certificate signature via the stored root certificate. Verify that the certificate validity period has not expired. Verify that the identity certificate has not been revoked. Home Entrust LDAP server Headquarters Entrust Hdqtrs3 Entrust K Hdqtrs3 Entrust K Entrust Root D134TA30 Boston3 Entrust K Boston3 Entrust K Entrust Root D134TA30 Internet
28
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Configuring the Cisco VPN 3000 Series Concentrator for CA Support
29
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Concentrator Enrollment Support Generate PKCS #10 Certificate server File (manual) Network (automated) SCEP Upload/ download PKCS #10 Generate PKCS #10 Certificate server
30
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Concentrator Certificate Manual Loading Process Certificate server Download root and identity certificate Generate PKCS #10 Upload PKCS #10 Certificate server Load root certificate Certificate server Load identity certificate Generate root and identity certificate
31
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Manual EnrollmentGenerate a Certificate Request
32
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Group Matching Policy Identity certificate Group matching policy
33
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Group Matching Rules
34
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Upload the PKCS#10 Upload PKCS #10
35
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Download Certificates Download root certificate Certificate server Download root and identity certificate Download identity certificate
36
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Install Root Certificate Certificate server Install root certificate
37
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Root Installed
38
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN View Root Certificate
39
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Install Identity Certificate Certificate server Install identity certificate
40
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Identity Certificate Installed
41
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN View Identity Certificate
42
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Certificate Renewal
43
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Configure CACRL Caching, Backup, and HTTP Support Site A Client Internet Site B CRL DP LDAP support CRL DP HTTP support CRL caching CRL caching Primary Backup
44
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Configuring CA Certificates CRL retrieval policy CRL caching CRL Distribution Points
45
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Configuring CRL Retrieval Policy Certificate CRL DP Static CRL DP
46
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Configuring CRL Caching
47
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Configuring CRL DPs Site A LDAP support HTTP support Primary Backup
48
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Step 1Check the Active IKE Proposal List
49
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Step 2Check the IKE Proposal
50
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Step 3Modify or Add an SA
51
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN IPSec SA
52
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Types of VPN Client Enrollment File (manual) Network (automated) Upload PKCS #10 Generate PKCS #10 Certificate server Download identity and root certificate Certificate server SCEP
53
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Certificate Tab Certificate tab used to enroll and manage personal certificates
54
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Certificate Store A certificate store is a location in your local file system that contains personal certificates. Cisco Store
55
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN File Enrollment
56
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Enrollment Form
57
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Paste Certificate Request Generate PKCS #10 Certificate server Upload PKCS #10
58
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Download Root and Identity Certificates Certificate server Download a root and identity certificate
59
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Import Certificates
60
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Viewing Certificates
61
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Network-Based Enrollment Network (automated) Certificate server SCEP
62
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN SCEP Process request - If approved, generate identitycertificate Store certificate Verify CA or RA certificate generation keys Generate certificate request Send request Request pending Send polling request Store certificate Return CA or RA certificate - If pending approval Request CA or RA certificate (Approved) – or – Certificate server SCEP Certificate manager
63
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Network Enrollment
64
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Enrollment Form
65
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Summary
66
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Summary Digital certificates bind a person or entity to a private key. The Cisco VPN Client and Concentrator create PKCS #10s. PKCS #10s are sent to the CA to be verified. The CA issues VPN Client and Concentrator X.509 certificates. Certificates are loaded on the VPN Client and Concentrator. Certificates are exchanged during IKE negotiations. Certificates are validated by the receiving device.
67
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Lab Exercise
68
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Lab Visual Objective CA server P.0 Cisco PC VPN Client P 10.0.P.0 RTS Cisco VPN 3000 Web FTP
Еще похожие презентации в нашем архиве:
