Cisco ASA–Send the right enrollment request to the CA

A few things I forgot to mention in my previous posts. You need to send a properly formatted request the Microsoft NDES service from the Cisco ASA. This needs to include the domain and correct key size. If you do not specify these enrollment properties correctly the CA will deny the request. Usually the deny will show up in the application log indicating that the key size is wrong.

No real need to go up to a 2048 key size unless your security requirements demand it. Remember – the higher the key size and the number of connections will impact your CPU performance on the ASA.

Here is an example configuration for the ASA enrollment:

image

 

Also – be sure the NDES service has the correct security properties on the template. Go ahead and give it “Full Control” and this will check the Auto-enroll security also.

Advertisements

NDES Server Configuration for SCEP (Cisco ASA SCEP Proxy)

A quick little reminder – the Microsoft NDES implementation requires a one-time password to enroll network devices. However this gets rather complicated because the whole BYOD concept means you do not have access to that one-time password. The administrator is not involved to get you on the network right? You get credentials and that’s all..

An adjustment needs to be made to Microsoft NDES implementation to let the Cisco ASA proxy the SCEP enrollment request.

Disabling the "one-time password" on the NDES server is configured in the following registry key: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP\EnforcePassword

EnforcePassword value data is set to "0". "0" ensures no password is requested by NDES.

 

Another thing to keep in mind – default NDES implementation will use the “IPSEC (Offline Request)” certificate template. You need to make a decision if this is the template you want to have enrolled for those getting a BYOD certificate.

 

Let’s say you want some better control of the certificate getting issued. I would recommend creating a custom template. And this is a user device so lets give is the right key usage.

  • Duplicate the “IPsec (Offline Request)” template – I use “User NDES”
  • Modify the extensions so the extension list looks like – You don’t have to assign all of these uses, but this mirrors the most likely use cases.
    • Server Authentication
    • Secure Email
    • Encrypting File System
    • Client Authentication
    • IPSec IKE Intermediate
  • Adjust the certificate validity period and renewal period according to your policy for user certificates.
  • Check the box for publish in Active Directory if you are using EFS
  • Add the NDES service account to the security permissions on the template with “Read and Enroll” checked.
  • Modify the registry key to assign what certificate is assigned during enrollment
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\MSCEP
    • image

Cisco CUBE and MOH issues

Recent issue and a quick reminder about Cisco CUBE and MOH issues. If you’re having issues dealing with inbound callers not hearing MOH when being placed on hold – then the issue might not be CUBE.

Check this service parameter on CUCM – Duplex Streaming Enabled

“”This parameter determines whether music on hold (MOH) and Annunciator use duplex streaming. Valid values specify True (use duplex [two-way] streaming for MOH and Annunciator) or False (use simplex [one-way] streaming for MOH and Annunciator). Specifying True facilitates interoperability with certain firewalls and NATs. The default value is "false".””

 

Simple answer – Cisco 15.x IOS likes duplex audio streams.

Cisco ASA enrollment for SSL using SCEP

Alright – so if you’ve set up Microsoft NDES on server 2012 and followed the basic instructions your CA is now ready to auto enroll based on the “IPSECIntermediateOffline” template.

However, let’s say you want to actually enroll the Cisco ASA using SCEP to provide a server authentication certificate? You’re wanting to do this so your AnyConnect SSL/WebVPN will use an SSL certificate from your internal Active Directory Enterprise CA.

Simple – change the registry value for the MSCEP.dll and restart IIS. Then go back to your Cisco ASA and perform an new identity certificate enrollment. Be sure to populate all of the certificate name fields getting your CN correct.

CN=vpn.mydomain.net

 

The key is : HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY\MSCEP\

Set this to GeneralPurposeTemplate = Webserver

You can now enroll your Cisco ASA using SCEP to obtain a Server Authentication certificate. You can check the CA certificate and now you you should see an assigned certificate using the WebServer template.

Be sure to set the GeneralPurposeTemplate back to “IPSECIntermediateOffline” once you’re done unless you need to SCEP enroll more Web Servers.