beautypg.com

Pki configuration options, Pki configuration options -27 – Enterasys Networks Security Router X-PeditionTM User Manual

Page 349

background image

VPN Configuration Overview

XSR User’s Guide 14-27

XSR(aaa-user)#aaa password ThISisMYShaREDsecRET

The following sample configuration creates user Jeremiah in the PromisedLand usergroup, with
DNS, WINS and MPPE encryption, and assigns IP local pool remote_users for remote access:

XSR(config)#aaa group PromisedLand
XSR(aaa-group)#dns server primary 112.16.1.16
XSR(aaa-group)#dns server secondary 112.30.30.20
XSR(aaa-group)#wins server primary 112.16.1.16
XSR(aaa-group)#wins server secondary 112.16.1.13
XSR(aaa-group)#ip pool remote_users
XSR(aaa-group)#pptp encrypt mppe 128

XSR(config)#aaa user Jeremiah
XSR(aaa-user)#password amen
XSR(aaa-user)#group PromisedLand

PKI Configuration Options

The XSR’s PKI implementation offers the following CLI commands to:

Identify and configure attributes of Certificate Authorities using the

crypto ca identity

mode's available commands:

enrollment http-proxy

specifies SCEP requests to be directed though an intermediate

proxy server.

enrollment url -

URL provided to access the CA (consult your CA administrator for

this address). Any DNS names must be manually converted and entered as IP addresses.
(Not acme.com but 192.168.1.1).

enrollment retry count

sets the number of retries for pended enrollment requests.

enrollment retry in period

sets the interval between retries for pended enrollment

requests.

crl frequency

sets the interval between runs of the CRL maintenance task to update

CRLs.

Collect a CA certificate from a Certificate Authority:

crypto ca authenticate

. Note that you

must verify the fingerprint of the CA against provided information as part of this operation to
assure that the CA you access is the CA you expect.

Enroll an IPSec client certificate for your XSR against an authenticated CA:

crypto ca enroll

.

Immediately update CRL lists by entering

crypto ca crl request

.

Display various aspects of the crypto configuration using the following

show

commands:

show crypto ca identity

displays all configured CA identities

show crypto ca certificates

displays all collected certificates (CA Identities and

IPSec client certificates)

show crypto ca crls

displays a list of applicable CRLs

Remove individual certificates using the following commands:

Note:

For generic AAA background information and configurations, refer to 

“AAA

Services”

on page 16-5.

See also other documents in the category Enterasys Networks Hardware: