We have an ASA 5525-X we are using for site-to-site and remote-access VPNs. We are trying to convert the remote-access VPN users (some of them at least) from local usernames/passwords only, to usernames/passwords plus a certificate to restrict access to district issued devices.

I think I have the configuration done, but the client can still log in only with local credentials; it's not even trying to enroll. The lines I have added to the config are below. What could I be missing? The example I followed was using client profiles, which we haven't been using for anything. I've created a test client profile. 

group-policy GroupPolicy_cert-test internal
!
group-policy GroupPolicy_cert-test attributes
banner value *** Testing SCEP proxy connection ***
wins-server none
dns-server value 10.99.97.59 10.99.97.60
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Admin_Split
default-domain value dps.k12.oh.us
address-pools value DPS_General
scep-forwarding-url value http://10.99.97.69/certsrv/mscep/mscep.dll
webvpn
anyconnect profiles value cert-test type user
!
username cert-test-user password ************** encrypted
!
username cert-test-user attributes
vpn-group-policy GroupPolicy_cert-test
password-storage disable
service-type remote-access
!
tunnel-group cert-test type remote-access
!
tunnel-group cert-test general-attributes
address-pool DPS_General
default-group-policy GroupPolicy_cert-test
scep-enrollment enable
!
tunnel-group cert-test webvpn-attributes
authentication aaa certificate