cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
732
Views
0
Helpful
0
Replies

Dynamic group policy assignment via radius attribute 25 does not update SCEP forwarding URL

schroederh
Level 1
Level 1

We are using an ASA 5506H with IOS 9.14.  We have 50 AnyConnect premium licenses installed.  We are using ISE as the CA-SCEP server.  There are 4 ISE PSNs that we would like to load share over & have a redundant SCEP solution.  When we authenticate, ISE will dynamically apply RADIUS attribute 25 (describing the name of the preferred Group Policy) to be applied to the current user session.  This COA will apply a GP that has the IP address of the current authenticating node as the SCEP server URL. The goal is to perform SCEP enrollment on the same server we authenticated with.  When configured, the GP described in the ISE COA is applied to the VPN tunnel session and all values configured in the GP get updated & applied to the applied to the tunnel session except the SCEP Server Forwarding URL, which remains  to whatever is defined in the default GP for the Connection Profile selected.  The ASA applies the identified GP settings but not the SCEP forwarding URL.  We even tried to do this with a GP assigned to a local user account with the same result, everything configured as per the GP; EXCEPT the SCEP forwarding URL.  Is this a BUG, FEATURE, TYPICAL CISCO or what?  If anybody has any insight to this issue please chime in!  We have expired all of our ideas and are officially stumped as to why the ASA will not update/overwrite this value.    BTW, the SCEP enrollment works fine; it just won't allow us to dynamically change the server URL to point to a different SCEP server.  Any ideas?

0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: