AnyConnect auto enrollment using SCEP failed (is solved!)

Anton Pestov · ‎09-15-2012

ASA with last IOS and AnyConnect version was configured for 2 groups:

- one for all SSL VPN-connections using certificate (Main_Group);

- one for auto SCEP enrollment (Cert_Enroll) using AAA LOCAL (was created AnyConnect Profile (AC_Profile) with enrollment parameters (url, thumbprint and etc.), without Get Certificate button, but with Password prompt, because CA (AD CS Win2008R2) was configured to use single (unchanged) password for all enrollments requests from any devices).

Problem description:

When Main_Group isn't connected (certificate failed), I select Cert_Enroll connection from dropdown-list, authenticate successfull, then starts auto enrollment process... opens, approximately on 0.5 seconds, the window for input of the password of CA and is automatically closed. The certificate isn't received. In a tray the icon with connection attempt (a running small square) is shown.

What's the problem? Why auto SCEP enrollment was failed?

P.S.: CA was configured for SCEP enrollment and network devices successfully pass SCEP enrollment if use Trustpoint in config (url http://.../mscep.dll).

Anton Pestov · ‎09-19-2012

By default SCEP (new name, NDES) use 'IPSec (Offline request)' template in Windows AD CS (where 'auto-enrollment' is disabled).

To use auto-enrollment:

1. Create new Certificate Template with auto-enrollment on AD CS.

2. Need to reconfigure default parameters for SCEP/NDES (registry value).

Follow the instructions:

http://www.cisco.com/en/US/docs/solutions/Enterprise/Borderless_Networks/Unified_Access/UA_Security.html