We have an ASA 5525-X we are using for site-to-site and remote-access VPNs. We are trying to convert the remote-access VPN users (some of them at least) from local usernames/passwords only, to usernames/passwords plus a certificate to restrict access to district issued devices.
I think I have the configuration done, but the client can still log in only with local credentials; it's not even trying to enroll. The lines I have added to the config are below. What could I be missing? The example I followed was using client profiles, which we haven't been using for anything. I've created a test client profile.
group-policy GroupPolicy_cert-test internal ! group-policy GroupPolicy_cert-test attributes banner value *** Testing SCEP proxy connection *** wins-server none dns-server value 10.99.97.59 10.99.97.60 vpn-tunnel-protocol ssl-client split-tunnel-policy tunnelspecified split-tunnel-network-list value Admin_Split default-domain value dps.k12.oh.us address-pools value DPS_General scep-forwarding-url value http://10.99.97.69/certsrv/mscep/mscep.dll webvpn anyconnect profiles value cert-test type user ! username cert-test-user password ************** encrypted ! username cert-test-user attributes vpn-group-policy GroupPolicy_cert-test password-storage disable service-type remote-access ! tunnel-group cert-test type remote-access ! tunnel-group cert-test general-attributes address-pool DPS_General default-group-policy GroupPolicy_cert-test scep-enrollment enable ! tunnel-group cert-test webvpn-attributes authentication aaa certificate