How to configure ASA as Local SCEP server

pugman · ‎12-11-2017

Hi All, I'm fairly new to Cisco ASA so please excuse my naivety.

We have a Cisco 5555 ASA which is currently configured for AnyConnect VPN via AD. The next step is to authenticate users/laptops with AD + Certificates.

I have configured the ASA as a Local CA Server and I can authenticate via manual enrollment (following this guide: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/200602-Configure-ASA-as-a-Local-CA-Server-and-A.html

However, we have 500+ laptops so I need to automate this process using SCEP. All the online guides refer to an external Microsoft SCEP server only. eg, https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/200602-Configure-ASA-as-a-Local-CA-Server-and-A.html

How can I used the ASA as both the Local CA and SCEP server for automatic enrollment? Any help would be greatly appreciated!

GioGonza · ‎12-12-2017

Hello @pugman,

The ASA cannot perform the configuration you want to accomplish, you can configure the Local CA on the ASA but it will only work with AAA and OTP (you could send it through email or manually from ASDM or CLI) but there is no way you can enable the Local CA to make it work with SCEP, the feature is not supported.

You could have the CA on a Windows Server and automate the process but you cannot do it on the ASA.

HTH

Gio