Cisco Cisco ASA 5585-X with No Payload Encryption 기술 매뉴얼

The ASA is configured to authenticate with a certificate (the client needs to trust that certificate). The
Windows 7 client is configured to authenticate with EAP (EAP−PEAP).

The ASA acts as VPN gateway terminating IKEv2 session from the client. The ISE acts as an AAA server
terminating EAP session from the client. EAP packets are encapsulated in IKE_AUTH packets for traffic
between the client and the ASA (IKEv2) and then in RADIUS packets for authentication traffic between the
ASA and the ISE.

Microsoft Certificate Authority (CA) has been used in order to generate the certificate for the ASA. The
certificate requirements in order to be accepted by the Windows 7 native client are:

The Extended Key Usage (EKU) extension should include Server Authentication (template "Web
server" has been used in that example).

• 

The Subject−Name should include the Fully Qualified Domain Name (FQDN) which will be used by
the client in order to connect (in this example ASAv.example.com).

• 

For more details on the Microsoft client, see Troubleshooting IKEv2 VPN Connections.

Note: Android 4.x is more restrictive and requires the correct Subject Alternative Name as per RFC 6125. For
more information for Android, see IKEv2 from Android strongSwan to Cisco IOS with EAP and RSA
Authentication.

In order to generate a certificate signing request on the ASA, this configuration has been used:

hostname ASAv

domain−name example.com