Anyconnect cert request failing

mors105 · ‎10-03-2013

Hi, I'm having EXACTLY the same problem as per the user in this thread:

https://supportforums.cisco.com/message/3378523#3378523

And I'm getting exactly the same errors. The user in the thread reports he had to raise a TAC for the issue and they advised him how to fix it and cisco have given out an incorrect configuration guide to the public. The user only posts that he had to add 'extra trustpoints' to solve the issue. I've tried that and nothing happens.

When I use a IOS CA, the solution with SCEP proxying works perfectly, when I use a 2008 server as the CA, it enrolls the ASA fine, but refuses to enroll the clients via anyconnect and sends this error back via the ASDM when editing the group policy:

[OK] group-policy GroupPolicy_anycon attributes

group-policy GroupPolicy_anycon attributes

[OK] vpn-tunnel-protocol ssl-clientless ssl-client ikev1 ikev2

[ERROR] scep-forwarding-url value http://2.2.2.2/certsrv/mscep/mscep.dll

Attempting to retrieve the CA/RA certificate(s) using the URL. Please wait ...

Received 3 CA/RA certificate(s) using the SCEP URL.

NON-RESIDENT CERT: serial: 610BB89C000000000002, subject: cn=server-2008-ca,c=GB

NON-RESIDENT CERT: serial: 610BBB5B000000000003, subject: cn=server-2008-ca,c=GB

RESIDENT CERT: serial: 12AF8E699771C9A349112A00489064E7, subject: cn=server-2008-ca,dc=lab-test,dc=co,dc=uk

WARNING: Please check if you have all the required certificate(s) in the config to authenticate the certificates that will be issued using this SCEP URL

[OK] exit

Could someone please advise what I need to do to resolve this, I've tried adding extra trustpoints like this but it doesn't help the situation:

crypto ca trustpoint server-ca2

enrollment url http://2.2.2.2:80/certsrv/mscep/mscep.dll

subject-name CN=ciscoasa

keypair newkeypair

crl configure

Itzcoatl Espinosa · ‎10-03-2013

Hi Mark,

I am not sure if I understood correctly, but I believe it could be solved as the following.

1. Create a Tunnel-Group called 'CertEnroll' with AAA Auth only and have the profile for

this point to the SCEP/CA server.

2. Create a second Tunnel-Group called 'Mobile' with Cert Auth only.

In this scenario, the user would need to first fail cert auth by selecting the 'Mobile' Tunnel-Group (this should fail as the user does not have the appropriate cert).

Then, the user would need to select the 'CertEnroll' group which should point to the SCEP/CA server and enroll the user. Then, the user could connect via the 'Mobile' tunnel-group with their newly obtained certificate.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b25dc1.shtml

I hope it helps,

regards,

Itzcoatl

mors105 · ‎10-04-2013

Hi Itzcoatl, what is actually happening is that the CA is sending me 3 CA certs when I edit the group policy for the profile, the same as what the other user was getting.

The other user mentions that I need to create 2 extra trustpoints and that this isn't mentioned in any documentation?

The method you have posted works fine with a IOS CA but will not work in my situation, but is not really the problem I'm having.

The problem I'm having is that I'm getting 3 CA certs from the CA, when I only expected 1, and it wont allow me to use proxy SCEP because of this.

mors105 · ‎10-06-2013

All, I have resolved this issue myself. I've got to say, without raising a TAC, Cisco's support on this issue is really poor. The support in this forum looks to be hit and miss at the very best, and there is no Cisco documentation of how to complete this process even though it's one of their 'major products' and its included in their examination criteria.

No one should be able to complete this with the current Cisco documentation, no one. If you're using a 2008 server with NDES, and trying to use proxy SCEP, then this solution and guidance from Cisco is completely un-doable.

If you need help with this error contact me directly as you're not going to get help from Cisco on it without a TAC.

Regards

Mark