cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
949
Views
0
Helpful
1
Replies

Anyconnect scep auto enrollment

Guys,

I have a query about the setup for this. I have been following this procedure below. My asa is on version 8.2(5) and the anyconnect is version 3. The CA i am using is Windows server 2008. I have been testing with a Sub CA

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b25dc1.shtml

I can open any connect and get prompted by the firewall to select the profile to use. I select the certenroll profile and login with AD credentials but keep getting authentication failed and nothing happens. The authentication on the profile is set to local but im not sure what this authenticates to or if the anyconnect profile relays this the CA server.

I have seen some videos which show more settings on the asdm for scep proxy settings. The method i am using is tunneling queries from the endpoint to the CA server. I am wondering if my version of anyconnect/firewall supports this and would i be best upgrading to version 9 of asa and use scep proxy instead of the tunnelling method.

Also just as a check on the CA side of things. Does the CA need to be running NDES to support requests sent from the firewall.

1 Reply 1

Nicholas Carrieri
Cisco Employee
Cisco Employee

Scep-proxy was not integrated into the ASA until 8.4

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/access_certs.html#wp1318578

If you want to do legacy scep, this should work.  Your Anyconnect version is ok, but we always suggest the latest in the 3.0/3.1 line for the most up-to-date bug fixes.