Hello,
We currently have a Legacy SCEP deployment using ASAs and Windows Server 2008 R2 PKI environment for AnyConnect client certificate enrollment. I'd like to switch from Legacy SCEP to SCEP Proxy, but it isn't clear that SCEP Proxy supports the "Prompt for Challenge Password" feature we use in Legacy SCEP. The "Prompt for Challenge Password" variable seems to be part of the XML tag used for the "CA URL" which is only used in Legacy SCEP.
If "Prompt For Challenge Password" isn't supported with SCEP Proxy, it seems like Cisco took one step forward and one step backward with the newer feature. Sure, you don't expose your PKI RA to remote users, but you eliminate the only element of user authorization for new certificates if you allow remote users to generate a VPN certificate with nothing more than their username and password.
Thanks,
Jim
