- Enterasys Security Router User's Guide

ManualsBrandsEnterasys Networks ManualsNetwork RouterSecurity Router X-PeditionTM

341

342

343

344

345

346

347

348

349

350

VPN Configuration Overview

XSR User’s Guide 14-27

XSR(aaa-user)#aaa password ThISisMYShaREDsecRET

The following sample configuration creates user Jeremiah in the PromisedLand usergroup, with

DNS, WINS and MPPE encryption, and assigns IP local pool remote_users for remote access:

XSR(config)#aaa group PromisedLand

XSR(aaa-group)#dns server primary 112.16.1.16

XSR(aaa-group)#dns server secondary 112.30.30.20

XSR(aaa-group)#wins server primary 112.16.1.16

XSR(aaa-group)#wins server secondary 112.16.1.13

XSR(aaa-group)#ip pool remote_users

XSR(aaa-group)#pptp encrypt mppe 128

XSR(config)#aaa user Jeremiah

XSR(aaa-user)#password amen

XSR(aaa-user)#group PromisedLand

PKI Configuration Options

The XSR’s PKI implementation offers the following CLI commands to:

• Identify and configure attributes of Certificate Authorities using the

crypto ca identity

mode's available commands:

–

enrollment http-proxy specifies SCEP requests to be directed though an intermediate

proxy server.

–

enrollment url - URL provided to access the CA (consult your CA administrator for

this address). Any DNS names must be manually converted and entered as IP addresses.

(Not acme.com but 192.168.1.1).

–

enrollment retry count sets the number of retries for pended enrollment requests.

–

enrollment retry in period sets the interval between retries for pended enrollment

requests.

–

crl frequency sets the interval between runs of the CRL maintenance task to update

CRLs.

• Collect a CA certificate from a Certificate Authority:

crypto ca authenticate. Note that you

must verify the fingerprint of the CA against provided information as part of this operation to

assure that the CA you access is the CA you expect.

•

Enroll an IPSec client certificate for your XSR against an authenticated CA: crypto ca enroll.

• Immediately update CRL lists by entering

crypto ca crl request.

• Display various aspects of the crypto configuration using the following

show commands:

–

show crypto ca identity displays all configured CA identities

–

show crypto ca certificates displays all collected certificates (CA Identities and

IPSec client certificates)

–

show crypto ca crls displays a list of applicable CRLs

• Remove individual certificates using the following commands:

Note:

For generic AAA background information and configurations, refer to“AAA

Services”

on page 16-5.