PKI Server and IPv6.

I wanted to configure PKI Server based on IPv6 and I found one problem. According to Cisco documentation you should use ‘[]’ for IPv6 addresses:

Router (ca-trustpoint)# enrollment url http://[2001:DB8:1:1::1]:80

When I wanted to do the same I found one bug:

Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version 15.1(3)T2, RELEASE SOFTWARE (fc1)
r2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
r2(config)#crypto pki trustpoint PKI-TRUSTPOINT
r2(ca-trustpoint)# enrollment url http://[2001:100::1]:80
r2(ca-trustpoint)# revocation-check crl
r2(ca-trustpoint)#end
r2#
May  1 23:18:26.699: %SYS-5-CONFIG_I: Configured from console by console
r2#sh run | b PKI-TRUSTPOINT
crypto pki trustpoint PKI-TRUSTPOINT
 enrollment url http://[2001:100
 revocation-check crl
!
!

As you see the address is truncated just after ‘::’.

I tested also IOS 15.2(3)T3 and it seems to be fixed:

Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.2(3)T3, RELEASE SOFTWARE (fc1)
r1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
r1(config)#crypto pki trustpoint PKI-TRUSTPOINT
r1(ca-trustpoint)#enrollment url http://[2001:100::1]:80
r1(ca-trustpoint)#end
r1#
*May  1 23:20:09.283: %SYS-5-CONFIG_I: Configured from console by console
r1#sh run | b PKI-TRUSTPOINT
crypto pki trustpoint PKI-TRUSTPOINT
 enrollment url http://[2001:100::1]:80
 revocation-check crl
!

Sometimes you can spend a lot of time before you find out why your trustpoint can’t authenticate, so check the configuration first before you start troubleshooting.

 
3
Kudos
 
3
Kudos

Now read this

ACS, radius and management access to ASA

There are couple of ways how to configure management access to ASA. One of them is configuring users in ACS database. Depending on radius attributes the user can have access to specific management ways. ciscoasa# sh run aaa aaa... Continue →