cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
278
Views
0
Helpful
0
Replies

Need help implementing SCEP proxy -- client isn't even trying to enroll

spfister336
Beginner
Beginner

We have an ASA 5525-X we are using for site-to-site and remote-access VPNs. We are trying to convert the remote-access VPN users (some of them at least) from local usernames/passwords only, to usernames/passwords plus a certificate to restrict access to district issued devices.

 

I think I have the configuration done, but the client can still log in only with local credentials; it's not even trying to enroll. The lines I have added to the config are below. What could I be missing? The example I followed was using client profiles, which we haven't been using for anything. I've created a test client profile. 

 

group-policy GroupPolicy_cert-test internal
!
group-policy GroupPolicy_cert-test attributes
banner value *** Testing SCEP proxy connection ***
wins-server none
dns-server value 10.99.97.59 10.99.97.60
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Admin_Split
default-domain value dps.k12.oh.us
address-pools value DPS_General
scep-forwarding-url value http://10.99.97.69/certsrv/mscep/mscep.dll
webvpn
anyconnect profiles value cert-test type user
!
username cert-test-user password ************** encrypted
!
username cert-test-user attributes
vpn-group-policy GroupPolicy_cert-test
password-storage disable
service-type remote-access
!
tunnel-group cert-test type remote-access
!
tunnel-group cert-test general-attributes
address-pool DPS_General
default-group-policy GroupPolicy_cert-test
scep-enrollment enable
!
tunnel-group cert-test webvpn-attributes
authentication aaa certificate

 

0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers