10-03-2013 03:04 PM - edited 02-21-2020 07:12 PM
Hi, I'm having EXACTLY the same problem as per the user in this thread:
https://supportforums.cisco.com/message/3378523#3378523
And I'm getting exactly the same errors. The user in the thread reports he had to raise a TAC for the issue and they advised him how to fix it and cisco have given out an incorrect configuration guide to the public. The user only posts that he had to add 'extra trustpoints' to solve the issue. I've tried that and nothing happens.
When I use a IOS CA, the solution with SCEP proxying works perfectly, when I use a 2008 server as the CA, it enrolls the ASA fine, but refuses to enroll the clients via anyconnect and sends this error back via the ASDM when editing the group policy:
[OK] group-policy GroupPolicy_anycon attributes
group-policy GroupPolicy_anycon attributes
[OK] vpn-tunnel-protocol ssl-clientless ssl-client ikev1 ikev2
[ERROR] scep-forwarding-url value http://2.2.2.2/certsrv/mscep/mscep.dll
Attempting to retrieve the CA/RA certificate(s) using the URL. Please wait ...
Received 3 CA/RA certificate(s) using the SCEP URL.
NON-RESIDENT CERT: serial: 610BB89C000000000002, subject: cn=server-2008-ca,c=GB
NON-RESIDENT CERT: serial: 610BBB5B000000000003, subject: cn=server-2008-ca,c=GB
RESIDENT CERT: serial: 12AF8E699771C9A349112A00489064E7, subject: cn=server-2008-ca,dc=lab-test,dc=co,dc=uk
WARNING: Please check if you have all the required certificate(s) in the config to authenticate the certificates that will be issued using this SCEP URL
[OK] exit
Could someone please advise what I need to do to resolve this, I've tried adding extra trustpoints like this but it doesn't help the situation:
crypto ca trustpoint server-ca2
enrollment url http://2.2.2.2:80/certsrv/mscep/mscep.dll
subject-name CN=ciscoasa
keypair newkeypair
crl configure
10-03-2013 04:57 PM
Hi Mark,
I am not sure if I understood correctly, but I believe it could be solved as the following.
1. Create a Tunnel-Group called 'CertEnroll' with AAA Auth only and have the profile for
this point to the SCEP/CA server.
2. Create a second Tunnel-Group called 'Mobile' with Cert Auth only.
In this scenario, the user would need to first fail cert auth by selecting the 'Mobile' Tunnel-Group (this should fail as the user does not have the appropriate cert).
Then, the user would need to select the 'CertEnroll' group which should point to the SCEP/CA server and enroll the user. Then, the user could connect via the 'Mobile' tunnel-group with their newly obtained certificate.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b25dc1.shtml
I hope it helps,
regards,
Itzcoatl
10-04-2013 02:55 AM
Hi Itzcoatl, what is actually happening is that the CA is sending me 3 CA certs when I edit the group policy for the profile, the same as what the other user was getting.
The other user mentions that I need to create 2 extra trustpoints and that this isn't mentioned in any documentation?
The method you have posted works fine with a IOS CA but will not work in my situation, but is not really the problem I'm having.
The problem I'm having is that I'm getting 3 CA certs from the CA, when I only expected 1, and it wont allow me to use proxy SCEP because of this.
10-06-2013 10:47 AM
All, I have resolved this issue myself. I've got to say, without raising a TAC, Cisco's support on this issue is really poor. The support in this forum looks to be hit and miss at the very best, and there is no Cisco documentation of how to complete this process even though it's one of their 'major products' and its included in their examination criteria.
No one should be able to complete this with the current Cisco documentation, no one. If you're using a 2008 server with NDES, and trying to use proxy SCEP, then this solution and guidance from Cisco is completely un-doable.
If you need help with this error contact me directly as you're not going to get help from Cisco on it without a TAC.
Regards
Mark
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide