I've succesfully set up our ASA with SCEP against our internal Microsoft CA server, and sent requests for both a CA certificate and an ID cert. Both have been deployed successfully, and I can request the CRL list from the ASA with the internal CA certificate selected.
The CRL request is successful, and I can see in the CRL list, that my test computer is among those computer certificates revoked on the server. So far so good.
Problem is: even though the computer certificate has been revoked, the computer still authenticates without problems, and connects with VPN. We are using AnyConnect 2.4 by the way.
I've tried with cert-only authentication in the connection profile (cause maybe it was the radius letting me in), but I still get access.
Is there anything I have missed? Is there a setting somewhere where I have to configure a "deny access" for revoked certs?