topic Marvin,yes, I'm aware of SCEP in Network Security

AnyConnect 4.0 Integration with ISE Version 1.3. Certificate

dgolovach — Fri, 21 Feb 2020 13:28:15 GMT

Hi all!

Is it possible to configure ISE 1.3 for provisioning AnyConnect 4.0 and pushing certificate (as by using native supplicant)? So, after that, AnyConnect will be able to use EAP-TLS and cert for network access.

It will be great, if it is possible with disabled VPN Module

Thank you

Yes. This is a relatively

Marvin Rhoads — Fri, 08 May 2015 03:49:07 GMT

Yes. This is a relatively commonly implemented use case.

Thank you for your reply

dgolovach — Fri, 15 May 2015 15:03:01 GMT

Thank you for your reply.

Where can I read about how to do this?

I can provision AnyConnect with client EAP-TLS authe and it works if there is existing certificate at client PC. If there is no certificate, NAM is not provisioning it to the client.

Thank you

Please have a look at the two

Marvin Rhoads — Fri, 15 May 2015 17:13:52 GMT

Please have a look at the two How To: BYOD... documents on the ISE Design Guides page.

Specifically, note around page 34 and onward in the 2nd document where they talk about setting up the Simple Certificate Enrollment Protocol (SCEP) profile and server.

Marvin,yes, I'm aware of SCEP

dgolovach — Fri, 22 May 2015 20:56:01 GMT

Marvin,

yes, I'm aware of SCEP configuration in ISE, and it works fine with NSP. If using NSP, it will talk to ISE and provision certificate for the Windows client just fine. What I'm wondering is how to make it work without NSP, аnd with CPP for Anyconnect. When client connects with CPP portal and gets Anyconnect with NAM install, there are no options in XML profile for NAM to do SCEP provisioning. I'm trying to understand how to get certificate to the client in this situation.

Thanks!