Cisco Cisco Packet Data Gateway (PDG) Guia De Resolução De Problemas
Global Configuration Mode Commands
ca-certificate ▀
Cisco ASR 5000 Series Command Line Interface Reference ▄
OL-22947-02
ca-certificate
Configures and selects an X.509 CA root certificate to enable a security gateway to perform certificate-based peer
(client) authentication. The system supports a maximum of 16 certificates and 16 CA root certificates. A maximum of
four CA root certificates can be bound to a crypto template.
(client) authentication. The system supports a maximum of 16 certificates and 16 CA root certificates. A maximum of
four CA root certificates can be bound to a crypto template.
Product
Privilege
Administrator, Security Administrator, Operator
Syntax
Removes the named CA certificate.
Names the CA certificate.
The PEM-formatted data can be specified (
) or the information can be read from a file via
url
). When read via a file, note that
will not contain the url reference, but will
instead output the data via
, such that the configuration file is self-contained.
Usage
In addition to the X.509 certificate-based gateway authentication method and the PSK (Pre-Shared Key) and
EAP-AKA (Extensible Authentication Protocol - Authentication and Key Agreement) peer (client)
authentication methods, the FNG supports X.509 certificate-based peer authentication.
The FNG checks the network policy on whether a FAP is authorized to provide service. If the network policy
states that all FAPs that pass device authentication are authorized to provide service, no further authorization
check may be required. If the network policy requires that each FAP be individually authorized for service (in
the case where the FEID is associated with a valid subscription), the FNG sends a RADIUS Access-Request
message to the AAA server. If the AAA server sends a RADIUS Access-Accept message, the FNG proceeds
with device authentication. Otherwise, the FNG terminates the IPSec tunnel setup by sending an IKEv2
Notification message indicating authentication failure.
The operator/administrator is responsible for configuring the certificates through the CLI. The FNG will
generate an SNMP notification when the certificate is within 30 days of expiration, and then once a day.
EAP-AKA (Extensible Authentication Protocol - Authentication and Key Agreement) peer (client)
authentication methods, the FNG supports X.509 certificate-based peer authentication.
The FNG checks the network policy on whether a FAP is authorized to provide service. If the network policy
states that all FAPs that pass device authentication are authorized to provide service, no further authorization
check may be required. If the network policy requires that each FAP be individually authorized for service (in
the case where the FEID is associated with a valid subscription), the FNG sends a RADIUS Access-Request
message to the AAA server. If the AAA server sends a RADIUS Access-Accept message, the FNG proceeds
with device authentication. Otherwise, the FNG terminates the IPSec tunnel setup by sending an IKEv2
Notification message indicating authentication failure.
The operator/administrator is responsible for configuring the certificates through the CLI. The FNG will
generate an SNMP notification when the certificate is within 30 days of expiration, and then once a day.
Example
Use the following command to remove a certificate named
Use the following command to remove a certificate named
: