05-15-2013 07:44 AM - edited 02-21-2020 06:54 PM
Cisco Adaptive Security Appliance Software Version 9.0(2)
Device Manager Version 7.1(2)
I need to set up AnyConnect so that remote users using Windows PCs can easily download/provision the AnyConnect client, enroll using SCEP to get their certificate and then connect to the VPN using the certificate for authentication.
So far I have the first part set up and working; users are able to connect to https://company.com and install the AnyConnect client and then proceed through the enrollment process by using an AnyConnect Client Profile that uses SCEP to take care of the certifiacte work.
After the enrollment is complete, however, when clients attempt to connect they have to enter their username and password. It doesn't use the certificate as I thought it would. Do I need to create another tunnel group for clients to use that only uses certificate authentication? If so, do I need to specify that tunnel group in the AnyConnect Client Profile so that clients, after enrollment, are automatically directed to that tunnel group? If so, how do I do that.
I'm a bit overwhelmed with the amount of documentation so I apologize if I'm using the wrong words and terminology. And at this time I'm only concerned about Windows PCs, no iOS or Android.
ASA Code:
group-policy certgroup internal
group-policy certgroup attributes
wins-server none
dns-server value 10.x.y.z
vpn-tunnel-protocol ikev2 ssl-client ssl-clientless
split-tunnel-network-list value Jabber_Split_Tunnel
default-domain value company.local
scep-forwarding-url value http://10.x.y.a/certsrv/mscep/mscep.dll
webvpn
anyconnect profiles value ac_scep type user
tunnel-group certtunnel type remote-access
tunnel-group certtunnel general-attributes
address-pool Jabber_VPN_Pool
authentication-server-group RADIUS
default-group-policy certgroup
scep-enrollment enable
tunnel-group certtunnel webvpn-attributes
authentication aaa certificate
group-alias certtunnel enable
group-url https://remote.company.com/certgroup enable
!
05-15-2013 08:15 AM
I should also mention that we'll have multilple tunnel groups set up on this ASA. So we'll need a way to automatically select the proper tunnel group based on something, perhaps an item in the certificate. I think I remember reading about that being a possibility.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide