Showing results for 
Search instead for 
Did you mean: 

Community Helping Community


Anyconnect, SCEP for Windows

Cisco Adaptive Security Appliance Software Version 9.0(2)

Device Manager Version 7.1(2)

I need to set up AnyConnect so that remote users using Windows PCs can easily download/provision the AnyConnect client, enroll using SCEP to get their certificate and then connect to the VPN using the certificate for authentication.

So far I have the first part set up and working; users are able to connect to and install the AnyConnect client and then proceed through the enrollment process by using an AnyConnect Client Profile that uses SCEP to take care of the certifiacte work.

After the enrollment is complete, however, when clients attempt to connect they have to enter their username and password. It doesn't use the certificate as I thought it would. Do I need to create another tunnel group for clients to use that only uses certificate authentication? If so, do I need to specify that tunnel group in the AnyConnect Client Profile so that clients, after enrollment, are automatically directed to that tunnel group? If so, how do I do that.

I'm a bit overwhelmed with the amount of documentation so I apologize if I'm using the wrong words and terminology. And at this time I'm only concerned about Windows PCs, no iOS or Android.

ASA Code:

group-policy certgroup internal

group-policy certgroup attributes

wins-server none

dns-server value 10.x.y.z

vpn-tunnel-protocol ikev2 ssl-client ssl-clientless

split-tunnel-network-list value Jabber_Split_Tunnel

default-domain value company.local

scep-forwarding-url value http://10.x.y.a/certsrv/mscep/mscep.dll


  anyconnect profiles value ac_scep type user

tunnel-group certtunnel type remote-access

tunnel-group certtunnel general-attributes

address-pool Jabber_VPN_Pool

authentication-server-group RADIUS

default-group-policy certgroup

scep-enrollment enable

tunnel-group certtunnel webvpn-attributes

authentication aaa certificate

group-alias certtunnel enable

group-url enable


Everyone's tags (4)

Anyconnect, SCEP for Windows

I should also mention that we'll have multilple tunnel groups set up on this ASA. So we'll need a way to automatically select the proper tunnel group based on something, perhaps an item in the certificate. I think I remember reading about that being a possibility.

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here