Pki configuration options, Pki configuration options -27 – Enterasys Networks Security Router X-PeditionTM User Manual
Page 349
VPN Configuration Overview
XSR User’s Guide 14-27
XSR(aaa-user)#aaa password ThISisMYShaREDsecRET
The following sample configuration creates user Jeremiah in the PromisedLand usergroup, with
DNS, WINS and MPPE encryption, and assigns IP local pool remote_users for remote access:
XSR(config)#aaa group PromisedLand
XSR(aaa-group)#dns server primary 112.16.1.16
XSR(aaa-group)#dns server secondary 112.30.30.20
XSR(aaa-group)#wins server primary 112.16.1.16
XSR(aaa-group)#wins server secondary 112.16.1.13
XSR(aaa-group)#ip pool remote_users
XSR(aaa-group)#pptp encrypt mppe 128
XSR(config)#aaa user Jeremiah
XSR(aaa-user)#password amen
XSR(aaa-user)#group PromisedLand
PKI Configuration Options
The XSR’s PKI implementation offers the following CLI commands to:
•
Identify and configure attributes of Certificate Authorities using the
crypto ca identity
mode's available commands:
–
enrollment http-proxy
specifies SCEP requests to be directed though an intermediate
proxy server.
–
enrollment url -
URL provided to access the CA (consult your CA administrator for
this address). Any DNS names must be manually converted and entered as IP addresses.
(Not acme.com but 192.168.1.1).
–
enrollment retry count
sets the number of retries for pended enrollment requests.
–
enrollment retry in period
sets the interval between retries for pended enrollment
requests.
–
crl frequency
sets the interval between runs of the CRL maintenance task to update
CRLs.
•
Collect a CA certificate from a Certificate Authority:
crypto ca authenticate
. Note that you
must verify the fingerprint of the CA against provided information as part of this operation to
assure that the CA you access is the CA you expect.
•
Enroll an IPSec client certificate for your XSR against an authenticated CA:
crypto ca enroll
.
•
Immediately update CRL lists by entering
crypto ca crl request
.
•
Display various aspects of the crypto configuration using the following
show
commands:
–
show crypto ca identity
displays all configured CA identities
–
show crypto ca certificates
displays all collected certificates (CA Identities and
IPSec client certificates)
–
show crypto ca crls
displays a list of applicable CRLs
•
Remove individual certificates using the following commands:
Note:
For generic AAA background information and configurations, refer to