Cisco Secure VPN Exam Certification Guide - Cisco press

248 Chapter 5: Configuring Cisco VPN 3000 for Remote Access Using Digital Certificates

Chapter Glossary

The following terms were introduced in this chapter or have special significance to the topics within this chapter:

Directory System Agent (DSA) Software that provides the X.500 Directory Service for a portion of the directory information base. Generally, each DSA is responsible for the directory information for a single organization or organizational unit.

Public Key Cryptography Standards (PKCS) Series of specifications published by RSA Laboratories for data structures and algorithm usage for basic applications of asymmetric cryptography.

Public Key Infrastructure (PKI) System of CAs (and optionally, RAs and other supporting servers and agents) that perform some set of certificate management, archive management, key management, and token management functions for a community of users in an application of asymmetric cryptography.

Rivest, Shamir, and Adelman (RSA) The inventors of the technique of a public-key cryptographic system that can be used for encryption and authentication.

Q&A 249

Q&A

As mentioned in Chapter 1, these questions are more difficult than what you should experience on the CCSP exam. The questions do not attempt to cover more breadth or depth than the exam; however, the questions are designed to make sure you know the answer. Rather than allowing you to derive the answer from clues hidden inside the question itself, your understanding and recall of the subject are challenged. Questions from the “Do I Know This Already?” quiz from the beginning of the chapter are repeated here to ensure that you have mastered the chapter’s topic areas. Hopefully, these questions will help limit the number of exam questions on which you narrow your choices to two options and guess!

1What must be in place on a client’s PC before you can configure the VPN Client for certificate support?

2What two methods are available on the VPN concentrator for installing certificates obtained through manual enrollment?

3What could cause a digital certificate to be revoked by the CA?

4What are the two types of CA structures?

250 Chapter 5: Configuring Cisco VPN 3000 for Remote Access Using Digital Certificates

5During the authentication process, where does a VPN concentrator find the original hash that the CA calculated for an identity certificate?

6During manual SCEP authentication, how is the request transmitted to the CA?

7What Public Key Cryptography Standard is used to request enrollment with a CA?

8What is the first certificate that must be installed on a VPN concentrator before you can install any other certificates from a given CA?

9When configuring digital certificate support on a VPN concentrator, where do you identify which certificate to use for IKE Phase 1 negotiations?

10After a VPN peer receives an identity certificate from its partner during IKE Phase 1, the peer calculates a hash of the certificate. What does the peer compare this hash against to verify that the certificate has not been altered?

Q&A 251

11Where does a VPN concentrator obtain the root CA’s public key?

12What entity is responsible for generating the PKI public/private key pair for a requesting host?

13In the VPN Manager, where do you identify that you want to use RSA Digital Certificates for IKE Phase 1 authentication?

14What three tests does a VPN concentrator perform on a partner’s identity certificate before performing the authentication process?

15Which version of the X.509 standard identity certificate permits extensions?

16What is RSA Keon?

252 Chapter 5: Configuring Cisco VPN 3000 for Remote Access Using Digital Certificates

17When does the Click here to install a CA certificate option appear on the Administration | Certificate Management screen of the VPN Manager?

18The VPN concentrator is certified to work with three Internet-based CAs. Which CAs are they?

19What elements make up the X.500 distinguished name?

20Which screen do you use to enable the use of digital certificates for device authentication during IKE Phase 1 negotiations?

21What two enrollment methods are available on a VPN concentrator?

22What field in the certificate request should match the IPSec group name on the VPN concentrator?

Q&A 253

23When are SSL certificates required on a VPN concentrator?

24What are the three types of certificates involved in the digital certificate process?

25What is a CRL?

26When you select to cache CRLs on the VPN concentrator, where are they stored?

27What default algorithm type and key size does the VPN concentrator use on the certificate request?

28Using the VPN Manager, where would you look to check the status of a certificate enrollment process?

254 Chapter 5: Configuring Cisco VPN 3000 for Remote Access Using Digital Certificates

29What is a root certificate?

30Where are you asked to supply a challenge password during the enrollment process?

31How is the validity period of a digital certificate specified?

32With CRL caching disabled, how does a VPN concentrator check a certificate’s serial number against a CRL?

33SCEP has two authentication methods available between a requester and the CA. What are those two methods?

Scenario 5-2 255

Scenarios

The following scenarios and questions are designed to draw together the content of the chapter and exercise your understanding of the concepts. There might be more than one correct answer. The thought process and practice in manipulating each concept in the scenario are the goals of this section.

Scenario 5-1

You have just configured a new Microsoft Windows 2000 Certificate Server in your network. You want to test the CA services before you roll out the service to your entire network. You are currently using a Cisco VPN 3005 Concentrator for remote access VPNs with 65 certificates installed. User authentication is handled through the NT domain. You will be using SCEP on the CA server. You will be using two laptop clients for testing. The laptops are using the Cisco VPN Client software.

1Describe the steps you need to take to configure the VPN concentrator to use the new CA server.

2Describe the steps you need to take to configure the clients to use the new CA server.

Scenario 5-2

You have been using a Cisco VPN 3030 Concentrator for some time to manage VPN connections for remote access users. You want to use a CA server that does not support SCEP.

Describe the steps you need to take to configure the VPN concentrator to use the new CA server.

256 Chapter 5: Configuring Cisco VPN 3000 for Remote Access Using Digital Certificates

Scenario Answers

The answers provided in this section are not necessarily the only correct answers. They represent one possibility for each scenario. The intention is to test your base knowledge and understanding of the concepts discussed in this chapter.

Should your answers be different (as they likely will be), consider the differences. Are your answers in line with the concepts of the answers provided and explained here? If not, reread the chapter, focusing on the sections that are related to the problem scenario.

Scenario 5-1 Answers

1The steps you need to take to configure the VPN concentrator to use the new CA server are as follows:

Step 1 Install a CA certificate for the new CA onto the concentrator using SCEP.

Step 2 Enroll the VPN concentrator with the CA server using SCEP.

Step 3 Select the IKE proposal you will be using, and configure the authentication mode to use RSA digital certificates.

Step 4 Select the IPSec SA you will be using, and identify the IKE proposal and certificate to use.

2The steps required to configure the clients to use the new CA server are as follows:

Step 1 From the VPN concentrator:

(a)Enroll the clients manually with the CA server to obtain their identity certificates.

(b)Copy the CA root certificate and the identity certificates to floppy disk.

Step 2 From the VPN Client:

(a)Import the root and identity certificates into the browser on each client. Be sure to import only one identity certificate onto each client.

(b)Open the VPN Dialer, and select the connection to the VPN concentrator.

(c)Click Options and select Properties.

Scenario 5-2 Answers 257

(d)Select the Authentication tab, and modify Choose to use Certificates for authentication. Select the name of the identity certificate from the drop-down menu.

(e)Test the connection.

Scenario 5-2 Answers

The steps required to configure the VPN concentrator to use the new CA server are as follows:

Step 1 Install a CA certificate for the new CA onto the concentrator manually as follows:

(a)Copy the CA root certificate to your management workstation. You can do this from floppy disk or through file transfer from the CA.

(b)Install the CA certificate by choosing to upload the file from the workstation.

Step 2 Enroll the VPN concentrator with the CA server manually as follows:

(a)Prepare a PKCS #10 certificate request in PEM format.

(b)Transport the request to the CA server (electronically or physically).

(c)Receive the identity certificate from the CA server (electronically or physically).

(d)Select to install the identity certificate by uploading the file from the workstation.

Step 3 Select the IKE proposal you will be using, and configure the authentication mode to use RSA digital certificates.

Step 4 Select the IPSec SA you will be using, and identify the IKE proposal and certificate to use.