Re: AnyConnect Profiles not getting downloaded.

MANSOORQ123 · ‎01-28-2012

Dear Team Members

I am facing the following issue in AnyConnect VPN deployment.

Requirement - Users should receive ANyConnect Profile, which has SCEP enabled, so that they can request a certificate from the organization Microsoft CA.

i already have a Certificate on ASA from the same CA and i want to use certificate authentication for ANyconnect.

ASA version is 8.4, i defined the flow as

1: Create User > bind it with a group policy > bind group policy with tunnel-group ( Connection profile)

2: Define a profile ( that has SCEp enabled & CA information URL etc..) and bind it with the group policy and also add it under

webvpn

AnyConnect Profile ....

when i initiate https://ASA_Ip_Address i authenticate with the username/password created above, Anyconnect is installed and i am connected, but profile is no tis downloaded, because i see no change on my Anyonnect Screen to request for a certificate. it remains the same, as no profile is available.

have followed the standard procedure,.. Plz guide me, what could be going wrong.

Any inputs from your side will be highly appreicated.

Thanks

Ahad

Marvin Rhoads · ‎01-29-2012

It sounds like you are going about it correctly. You didn't mention all the details you setup or provide the configuration, but I recommend you review the steps for SCEP in the AnyConnect Admin Guide here.

Have you examined the profile (.xml file) on your ASA to verify it has the parameters you expect? If it does, you could try manually copying the xml onto a test client to see if it then behaves in the way you desire. The location is resides in in %ProgramData%\Cisco\Cisco AnyConnect Secure Mobility Client\Profile for Windows 7 clients.

MANSOORQ123 · ‎01-31-2012

Hello Marvin

Thanks for your efforts for responding

As such i am using ASA 8.4, ASDM 6.47 & Anyconnect Package - Anyconnect-win-2.5.3055-k9.pkg ( i am using ver 2.5, because ver 3.0 does not support I Phones & Windows Mobile Phones).

Client PC - Windows 7 - 32 bit

1: i created Anyconnect profile using ASDM, it has simple settings to publish CA server details for SCEP, so that Anyconnect users can request the certificate through SCEP ( XML file attached)

2: As cheked profile folder is not available in

c:\program files \ cisco \ Cisco Anyconnect VPN Client

that simply means that profiles are not getting downloaded.

3: Configuration is attached & also the profile XML File.

you could try manually copying the xml onto a test client to see if it then behaves in the way you desire. - can u explain a bit more, how this testing can be done.

Plz let me know, what additional config is required.

Thanks in advanced

Ahad

Marvin Rhoads · ‎01-31-2012

In Windows 7 client, the AnyConnect profile (xml file) gets downloaded into %ProgramData%\Cisco\Cisco AnyConnect Secure Mobility Client\Profile automatically when it works as you desire. In cases where one wants to not automatically download (e.g., pre-deployment scenario), it can be manually copied into that location. If you do that, it will at least validate the profile works.

Reference this section of the Anyconnect Admin Guide.