AAA/CA server issues during rack time

hi,

 

i am using IE racks for my security labs and every time i want to contact the ca server for certicates i have issues

i will be able to telnet to the server on port 80, but authenticating the ca has never been successful.

 

alsoi noticed the server do not have a default gateway, i am i supposed to be adding static routes to the server ?

pls assist.

thank you

 

Comments

  • You do need to add routes to the server when you do the labs.

    What do you mean that authenticating the CA is not working?  Do you mean that crypto ca authenticate vpnca isnt working?  What URL are you using?



    On Dec 16, 2008, at 9:05 AM, bankawol wrote:

    hi,

     

    i am using IE racks for my security labs and every time i want to contact the ca server for certicates i have issues

    i will be able to telnet to the server on port 80, but authenticating the ca has never been successful.

     

    alsoi noticed the server do not have a default gateway, i am i supposed to be adding static routes to the server ?

    pls assist.

    thank you

     



    Internetwork Expert - The Industry Leader in CCIE Preparation
    http://www.internetworkexpert.com

    Subscription information may be found at:
    http://www.ieoc.com/forums/ForumSubscriptions.aspx

  • Thanks,

     

    i used the url as contained in lab 5 of IE swcurity workbook. when i type crypto ca authenticate, i can hit the server on port 80 but cant retrieve a certificate. i always get a certificate error.

     

    Thank you

    --- On Tue, 12/16/08, brandoncarroll <[email protected]> wrote:
    From: brandoncarroll <[email protected]>
    Subject: Re: [CCIE Sec] AAA/CA server issues during rack time
    To: [email protected]
    Date: Tuesday, December 16, 2008, 1:15 PM




    You do need to add routes to the server when you do the labs.


    What do you mean that authenticating the CA is not working?  Do you mean that crypto ca authenticate vpnca isnt working?  What URL are you using?








    On Dec 16, 2008, at 9:05 AM, bankawol wrote:


    hi,

     

    i am using IE racks for my security labs and every time i want to contact the ca server for certicates i have issues

    i will be able to telnet to the server on port 80, but authenticating the ca has never been successful.

     

    alsoi noticed the server do not have a default gateway, i am i supposed to be adding static routes to the server ?

    pls assist.

    thank you

     




    Internetwork Expert - The Industry Leader in CCIE Preparation
    http://www.internetworkexpert.com

    Subscription information may be found at:
    http://www.ieoc.com/forums/ForumSubscriptions.aspx





    Internetwork Expert - The Industry Leader in CCIE Preparation
    http://www.internetworkexpert.com

    Subscription information may be found at:
    http://www.ieoc.com/forums/ForumSubscriptions.aspx
  • You have probably checked the time already but that causes issues sometimes.  Another thing I have done is include the serial number in the request.



    On Dec 16, 2008, at 3:10 PM, bankawol wrote:
    Thanks,
     
    i used the url as contained in lab 5 of IE swcurity workbook. when i type crypto ca authenticate, i can hit the server on port 80 but cant retrieve a certificate. i always get a certificate error.
     
    Thank you

    --- On Tue, 12/16/08, brandoncarroll <[email protected]> wrote:
    From: brandoncarroll <bounce-brandonc[email protected]>
    Subject: Re: [CCIE Sec] AAA/CA server issues during rack time
    To: [email protected]
    Date: Tuesday, December 16, 2008, 1:15 PM

    You do need to add routes to the server when you do the labs.

    What do you mean that authenticating the CA is not working?  Do you mean that crypto ca authenticate vpnca isnt working?  What URL are you using?



    On Dec 16, 2008, at 9:05 AM, bankawol wrote:
    hi,
     
    i am using IE racks for my security labs and every time i want to contact the ca server for certicates i have issues
    i will be able to telnet to the server on port 80, but authenticating the ca has never been successful.
     
    alsoi noticed the server do not have a default gateway, i am i supposed to be adding static routes to the server ?
    pls assist.
    thank you
     



    Internetwork Expert - The Industry Leader in CCIE Preparation
    http://www.internetworkexpert.com

    Subscription information may be found at:
    http://www.ieoc.com/forums/ForumSubscriptions.aspx




    Internetwork Expert - The Industry Leader in CCIE Preparation
    http://www.internetworkexpert.com

    Subscription information may be found at:
    http://www.ieoc.com/forums/ForumSubscriptions.aspx



    Internetwork Expert - The Industry Leader in CCIE Preparation
    http://www.internetworkexpert.com

    Subscription information may be found at:
    http://www.ieoc.com/forums/ForumSubscriptions.aspx

  • <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">





    There are a bunch of reasons this could happen.  Next time you have
    issues capture the output from "debug crypto pki transactions" and post
    it here.  In older IOS it may be "debug crypto ca transactions".



    Brian McGahan, CCIE #8593 (R&S/SP/Security)

    [email protected]

     

    Internetwork Expert, Inc.

    http://www.InternetworkExpert.com

    Toll Free: 877-224-8987 x 705

    Outside US: 775-826-4344 x 705

    Online Community: http://www.IEOC.com

    CCIE Blog: http://blog.internetworkexpert.com






    bankawol wrote:


    Thanks,

     

    i used the url as contained in lab 5 of IE swcurity
    workbook. when i type crypto ca authenticate, i can hit the server on
    port 80 but cant retrieve a certificate. i always get a certificate
    error.

     

    Thank you



    --- On Tue, 12/16/08, brandoncarroll <[email protected]>
    wrote:

    From:
    brandoncarroll <[email protected]>

    Subject: Re: [CCIE Sec] AAA/CA server issues during rack time

    To: [email protected]

    Date: Tuesday, December 16, 2008, 1:15 PM




    You do need to add routes to the server when you do the labs.



    What do you mean that authenticating the CA is not
    working?  Do you mean that crypto ca authenticate vpnca isnt working?
     What URL are you using?










    On Dec 16, 2008, at 9:05 AM, bankawol wrote:



    hi,

     


    i am using IE racks for my security labs and every
    time i want to contact the ca server for certicates i have issues

    i will be able to telnet to the server on port 80, but
    authenticating the ca has never been successful.

     


    alsoi noticed the server do not have a default
    gateway, i am i supposed to be adding static routes to the server ?

    pls assist.

    thank you

     








    Internetwork Expert - The Industry Leader in CCIE Preparation

    http://www.internetworkexpert.com



    Subscription information may be found at:

    http://www.ieoc.com/forums/ForumSubscriptions.aspx












    Internetwork Expert - The Industry Leader in CCIE Preparation

    http://www.internetworkexpert.com



    Subscription information may be found at:

    http://www.ieoc.com/forums/ForumSubscriptions.aspx










    Internetwork Expert - The Industry Leader in CCIE Preparation

    http://www.internetworkexpert.com



    Subscription information may be found at:

    http://www.ieoc.com/forums/ForumSubscriptions.aspx

  • I'm having trouble with this too, yesterday and today both on rack 2.  Here's my debug output:

     

    SCRack2R2#sh ver | i ^IOS

    IOS (tm) C2600 Software (C2600-IK9O3S3-M), Version 12.2(15)T17, RELEASE SOFTWARE (fc1)

    SCRack2R2#debug crypto pki transactions 

    Crypto PKI Trans debugging is on

    SCRack2R2#show run int e0/0

    Building configuration...

     

    Current configuration : 77 bytes

    !

    interface Ethernet0/0

     ip address 10.0.0.2 255.255.255.0

     half-duplex

    end

     

    SCRack2R2#sh ntp ass

     

          address         ref clock     st  when  poll reach  delay  offset    disp

    *~10.0.0.100       127.127.1.0       4    54    64  377     2.2   43.25    10.0

     * master (synced), # master (unsynced), + selected, - candidate, ~ configured

    SCRack2R2#conf t

    Enter configuration commands, one per line.  End with CNTL/Z.

    SCRack2R2(config)#cryp key zero rsa

    % All RSA keys will be removed.

    % All router certs issued using these keys will also be removed.

    Do you really want to remove these keys? [yes/no]: yes

    Can not select my full public key (SCRack2R2.internetworkexpert.com)

    SCRack2R2(config)#

    Dec 20 01:20:00.005: %SSH-5-DISABLED: SSH 1.5 has been disabled

    SCRack2R2(config)#cryp key zero rsa

    % Signature RSA Keys not found in configuration.

     

    SCRack2R2(config)#ip domain name internetworkexpert.com

    SCRack2R2(config)#cry key gen rsa

    The name for the keys will be: SCRack2R2.internetworkexpert.com

    Choose the size of the key modulus in the range of 360 to 2048 for your

      General Purpose Keys. Choosing a key modulus greater than 512 may take

      a few minutes.

     

    How many bits in the modulus [512]: 

    % Generating 512 bit RSA keys ...[OK]

     

    SCRack2R2(config)#

    Dec 20 01:20:35.826: %SSH-5-ENABLED: SSH 1.5 has been enabled

    SCRack2R2(config)#no crypto ca tru TP

    % Removing an enrolled trustpoint will destroy all certificates 

     received from the related Certificate Authority.

     

    Are you sure you want to do this? [yes/no]: yes

    % Be sure to ask the CA administrator to revoke your certificates.

     

    No enrollment sessions are currently active.

     

    SCRack2R2(config)#

    Dec 20 01:20:57.115: CRYPTO_PKI: 'primary' trustpoint being removed

    SCRack2R2(config)#cryp ca tru TP

    SCRack2R2(ca-trustpoint)#enrollment url http://10.0.0.100:80/certsrv/mscep/mscep.dll

    SCRack2R2(ca-trustpoint)#enro

    SCRack2R2(ca-trustpoint)#crl op          

    SCRack2R2(ca-trustpoint)#crl optional 

    SCRack2R2(ca-trustpoint)#ex

    SCRack2R2(config)#sh run | b ^cryp

    crypto ca trustpoint TP

     enrollment url http://10.0.0.100:80/certsrv/mscep/mscep.dll

     crl optional

    <snip>         

    SCRack2R2(config)#cry ca authen TP

    Certificate has the following attributes:

    Fingerprint: 8E74BF81 C3F17FE4 7EE49A51 A7265423 

    % Do you accept this certificate? [yes/no]: 

    Dec 20 01:22:30.489: CRYPTO_PKI: Sending CA Certificate Request: 

    GET /certsrv/mscep/mscep.dll/pkiclient.exe?operation=GetCACert&message=TP HTTP/1.0

     

     

    Dec 20 01:22:30.489: CRYPTO_PKI: can not resolve server name/IP address 

    Dec 20 01:22:30.493: CRYPTO_PKI: Using unresolved IP Address 10.0.0.100

    Dec 20 01:22:30.497: CRYPTO_PKI: http connection opened

    Dec 20 01:22:30.930: CRYPTO_PKI: HTTP response header:

     HTTP/1.1 200 OK

    Server: Microsoft-IIS/5.0

    Date: Sat, 20 Dec 2008 01:22:30 GMT

    Content-Length: 2953

    Content-Type: application/x-x509-ca-ra-cert

     

    Content-Type indicates we have received CA and RA certificates.

     

    Dec 20 01:22:30.934: CRYPTO_PKI:crypto_process_ca_ra_cert(trustpoint=TP)

     

    Dec 20 01:22:31.655: The PKCS #7 message contains 3 certificates.

    Dec 20 01:22:31.731: CRYPTO_PKI:crypto_pkcs7_extract_ca_cert found cert

     

    Dec 20 01:22:31.731: CRYPTO_PKI: transaction GetCACert completed

    Dec 20 01:22:31.735: CRYPTO_PKI: CA certificate received.

    Dec 20 01:22:

    yes

    Trustpoint CA certificate accepted.

    SCRack2R2(config)#31.735: CRYPTO_PKI: CA certificate received.

    Dec 20 01:22:31.751: CRYPTO_PKI: crypto_pki_authenticate_tp_cert()

     

    Dec 20 01:22:31.751: CRYPTO_PKI: trustpoint TP authentication status = 0

     

    SCRack2R2(config)#

    Dec 20 01:22:33.787: CRYPTO_PKI: crypto_process_ra_certs(trust_point=TP)

    SCRack2R2(config)#

    SCRack2R2(config)#

    SCRack2R2(config)#cry ca enroll TP

    %

    % Start certificate enrollment .. 

    % Create a challenge password. You will need to verbally provide this

       password to the CA Administrator in order to revoke your certificate.

       For security reasons your password will not be saved in the configuration.

       Please make a note of it.

     

    Password: 

    Re-enter password: 

     

    % The fully-qualified domain name in the certificate will be: SCRack2R2.internetworkexpert.com

    % The subject name in the certificate will be: SCRack2R2.internetworkexpert.com

    % Include the router serial number in the subject name? [yes/no]: no

    % Include an IP address in the subject name? [no]: no

    Request certificate from CA? [yes/no]: yes

    % Certificate request sent to Certificate Authority

    % The certificate request fingerprint will be displayed.

    % The 'show crypto ca certificate' command will also show the fingerprint.

     

    SCRack2R2(config)#    Fingerprint:  58A69810 6F3E8AD0 3D2FF478 89C49221 

     

    Dec 20 01:23:01.486: CRYPTO_PKI: Sending CA Certificate Request: 

    GET /certsrv/mscep/mscep.dll/pkiclient.exe?operation=GetCACert&message=TP HTTP/1.0

     

     

    Dec 20 01:23:01.490: CRYPTO_PKI: can not resolve server name/IP address 

    Dec 20 01:23:01.490: CRYPTO_PKI: Using unresolved IP Address 10.0.0.100

    Dec 20 01:23:01.494: CRYPTO_PKI: http connection opened

    Dec 20 01:23:01.943: CRYPTO_PKI: HTTP response header:

     HTTP/1.1 200 OK

    Server: Microsoft-IIS/5.0

    Date: Sat, 20 Dec 2008 01:23:01 GMT

    Content-Length: 2953

    Content-Type: application/x-x509-ca-ra-cert

     

    Content-Type indicates we have received CA and RA certificates.

     

    Dec 20 01:23:01.943: CRYPTO_PKI:crypto_process_ca_ra_cert(trustpoint=TP)

     

    Dec 20 01:23:02.672: The PKCS #7 message contains 3 certificates.

    Dec 20 01:23:02.772: CRYPTO_PKI:crypto_pkcs7_insert_ra_certs found RA certs

     

    Dec 20 01:23:02.876: CRYPTO_PKI:crypto_pkcs7_insert_ra_certs found RA certs

    SCRack2R2(config

    Dec 20 01:23:02.896: CRYPTO_PKI: transaction PKCSReq completed

    Dec 20 01:23:02.896: CRYPTO_PKI: status: 

    Dec 20 01:23:03.301: CRYPTO_PKI: can not resolve server name/IP address 

    Dec 20 01:23:03.301: CRYPTO_PKI: Using unresolved IP Address 10.0.0.100

    Dec 20 01:23:03.305: CRYPTO_PKI: http connection opened)#

    SCRack2R2(config)#

    Dec 20 01:23:04.764: CRYPTO_PKI:  received msg of 709 bytes

    Dec 20 01:23:04.764: CRYPTO_PKI: HTTP response header:

     HTTP/1.1 200 OK

    Server: Microsoft-IIS/5.0

    Date: Sat, 20 Dec 2008 01:23:04 GMT

    Content-Length: 564

    Content-Type: application/x-pki-message

     

     

    Dec 20 01:23:06.114: The PKCS #7 message has 1 verified signers.

    Dec 20 01:23:06.114: signing cert: issuer=cn=sc02-aaa,o=Internetwork Expert, Inc.,l=Reno,st=NV,c=US,[email protected]

    Dec 20 01:23:06.118: Signed Attributes:

     

    Dec 20 01:23:06.122: CRYPTO_PKI: status = 101: certificate request is rejected

    Dec 20 01:23:06.122: CRYPTO_PKI: Fail Info=1

    Dec 20 01:23:06.126: CRYPTO_PKI: All enrollment requests completed for trustpoint TP.

    Dec 20 01:23:06.126: %CRYPTO-6-CERTREJECT: Certificate enrollment request was rejected by Certificate Authority

    Dec 20 01:23:06.126: CRYPTO_PKI: All enrollment requests completed for trustpoint TP.

    Dec 20 01:23:06.138: CRYPTO_PKI: All enrollment requests completed for trustpoint TP.

    SCRack2R2(config)#

    SCRack2R2(config)#

     

  • i ve never being able to ping the backbone routers, or establish a connection to them.

    I wonder if this is delibrate.

    thank you.

     

  • The initial configuration script has some errors, which caused basic connection to bb1 fail. Yet the error is very easy to recognized if attention is paid on the serial interface connection.

Sign In or Register to comment.