VPN Configuration Overview

XSR(aaa-user)#aaa password ThISisMYShaREDsecRET

The following sample configuration creates user Jeremiah in the PromisedLand usergroup, with DNS, WINS and MPPE encryption, and assigns IP local pool remote_users for remote access:

XSR(config)#aaa group PromisedLand

XSR(aaa-group)#dns server primary 112.16.1.16

XSR(aaa-group)#dns server secondary 112.30.30.20

XSR(aaa-group)#wins server primary 112.16.1.16

XSR(aaa-group)#wins server secondary 112.16.1.13

XSR(aaa-group)#ip pool remote_users

XSR(aaa-group)#pptp encrypt mppe 128

XSR(config)#aaa user Jeremiah

XSR(aaa-user)#password amen

XSR(aaa-user)#group PromisedLand

Note: For generic AAA background information and configurations, refer to “AAA Services” on page 16-5.

PKI Configuration Options

The XSR’s PKI implementation offers the following CLI commands to:

Identify and configure attributes of Certificate Authorities using the crypto ca identity mode's available commands:

enrollment http-proxyspecifies SCEP requests to be directed though an intermediate proxy server.

enrollment url - URL provided to access the CA (consult your CA administrator for this address). Any DNS names must be manually converted and entered as IP addresses. (Not acme.com but 192.168.1.1).

enrollment retry count sets the number of retries for pended enrollment requests.

enrollment retry in period sets the interval between retries for pended enrollment requests.

crl frequency sets the interval between runs of the CRL maintenance task to update CRLs.

Collect a CA certificate from a Certificate Authority: crypto ca authenticate. Note that you must verify the fingerprint of the CA against provided information as part of this operation to assure that the CA you access is the CA you expect.

Enroll an IPSec client certificate for your XSR against an authenticated CA: crypto ca enroll.

Immediately update CRL lists by entering crypto ca crl request.

Display various aspects of the crypto configuration using the following show commands:

show crypto ca identity displays all configured CA identities

show crypto ca certificates displays all collected certificates (CA Identities and IPSec client certificates)

show crypto ca crls displays a list of applicable CRLs

Remove individual certificates using the following commands:

XSR User’s Guide 14-27

Page 348 Page 350
Page 349
Image 349
Enterasys Networks X-PeditionTM manual PKI Configuration Options
Page 348 Page 350
Top Page Image Contents