|
Posted by Roy Smith on July 19, 2005, 7:41 pm
If you were Registered and logged in, you could reply and use other advanced thread options
I've got the Cisco VPN Client 4.6.04 (0061) on my OSX-10.3 PowerBook. I'm
trying to enroll a certificate, but can't quite figure out the instructions.
I do Certificates/Enroll... and get the Certificate Enrollment dialog box.
I fill in the CA URL, CA Domain, Challenge Password, and New Password, and
get to the second screen. The CN, OU, O, ST, C, and E entries are straight
forward, but I'm stumped for what I'm supposed to enter for IP Address and
Domain. The docs say:
-------
IP Address--The IP address of your system, for example, 10.10.10.1.
Domain--The Fully Qualified Domain Name of the host for your system; for
example, Dialin_Server.
-------
What IP address (and FQDN) are they talking about? The IP address I got
from my DHCP server on my little home network? My externally visible
static IP address on the other side of my NAT box? Neither of these makes
much sense, but I can't think of anything else they might want. Or do they
mean the IP address of the VPN concentrator I'm going to attach to? My
employer runs about a dozen such concentrators (East Coast, West Coast,
Europe, etc, plus backups for each); if the latter interpretation is
correct, does that mean I need to enroll a new certificate for each one?
I'm also stumped by the example they give, "Dialin_Server", as supposedly
being a FQDN.
|
 
| |
Posted by on July 20, 2005, 1:13 am
If you were Registered and logged in, you could reply and use other advanced thread options
The IP address does mean your IP address, but it is usually optional.
If you have the default identity cert matching config on your VPN
concentrator then it will just do the basic cert checks (issued by the
same CA/CA hierarchy as own cert; within validity dates;etc) and
attempt to associate you with the appropriate user group based on
whatever you have typed for OU (this should be the same as the
corresponding group name on the VPN concentrator).
So, you shouldn't need to type an IP address- just leave it blank. And
you shouldn't have to enroll and obtain a certificate for each VPN
concentrator, unless that is each concentrator has a certificate from a
different CA/CA hierarchy (that would be pretty wierd!).
Hope that helps,
Mark
CCIE#6280 / CCSI#21051 / JNCIS#121 / etc
Author: www.ciscopress.com/1587051044
|
| Similar Threads | Posted | | OpenVPN certificate question | May 3, 2006, 11:31 pm |
| Certificate issue with a webservice | August 15, 2007, 12:33 am |
| Watchguard / Safenet Client and Cisco VPN Client Compatible? | February 7, 2005, 3:38 pm |
| Cisco VPN Client <-> XP VPN | March 13, 2006, 6:02 am |
| Client VPN Cisco HELP | May 20, 2006, 11:14 am |
| Looking for Cisco VPN Client (XP) | September 7, 2006, 9:19 pm |
| API for Cisco VPN client? | June 6, 2007, 6:06 pm |
| W2K vpn client to Cisco 3005 VPN concentrator | June 20, 2005, 3:07 pm |
| Configuring Cisco VPN Client / Windows XP | July 22, 2005, 8:00 am |
| Need assistance with Cisco VPN client and Linux FC4 | December 28, 2005, 9:40 pm |
|
|
Yahoo! 
Google 
Windows Live 
del.icio.us 
digg 
Netscape 
XML site map