Cisco Adaptive Security Appliance Software Version 9.0(2)
Device Manager Version 7.1(2)
I need to set up AnyConnect so that remote users using Windows PCs can easily download/provision the AnyConnect client, enroll using SCEP to get their certificate and then connect to the VPN using the certificate for authentication.
So far I have the first part set up and working; users are able to connect to https://company.com and install the AnyConnect client and then proceed through the enrollment process by using an AnyConnect Client Profile that uses SCEP to take care of the certifiacte work.
After the enrollment is complete, however, when clients attempt to connect they have to enter their username and password. It doesn't use the certificate as I thought it would. Do I need to create another tunnel group for clients to use that only uses certificate authentication? If so, do I need to specify that tunnel group in the AnyConnect Client Profile so that clients, after enrollment, are automatically directed to that tunnel group? If so, how do I do that.
I'm a bit overwhelmed with the amount of documentation so I apologize if I'm using the wrong words and terminology. And at this time I'm only concerned about Windows PCs, no iOS or Android.
group-policy certgroup internal
group-policy certgroup attributes
dns-server value 10.x.y.z
vpn-tunnel-protocol ikev2 ssl-client ssl-clientless
split-tunnel-network-list value Jabber_Split_Tunnel
default-domain value company.local
scep-forwarding-url value http://10.x.y.a/certsrv/mscep/mscep.dll
anyconnect profiles value ac_scep type user
tunnel-group certtunnel type remote-access
tunnel-group certtunnel general-attributes
tunnel-group certtunnel webvpn-attributes
authentication aaa certificate
group-alias certtunnel enable
group-url https://remote.company.com/certgroup enable
I should also mention that we'll have multilple tunnel groups set up on this ASA. So we'll need a way to automatically select the proper tunnel group based on something, perhaps an item in the certificate. I think I remember reading about that being a possibility.