SCEP Proxy vs. Legacy SCEP (ASA and AnyConnect)

jimsiff · ‎05-24-2013

Hello,

We currently have a Legacy SCEP deployment using ASAs and Windows Server 2008 R2 PKI environment for AnyConnect client certificate enrollment. I'd like to switch from Legacy SCEP to SCEP Proxy, but it isn't clear that SCEP Proxy supports the "Prompt for Challenge Password" feature we use in Legacy SCEP. The "Prompt for Challenge Password" variable seems to be part of the XML tag used for the "CA URL" which is only used in Legacy SCEP.

If "Prompt For Challenge Password" isn't supported with SCEP Proxy, it seems like Cisco took one step forward and one step backward with the newer feature. Sure, you don't expose your PKI RA to remote users, but you eliminate the only element of user authorization for new certificates if you allow remote users to generate a VPN certificate with nothing more than their username and password.

Thanks,

Jim

jerico99 · ‎06-13-2018

I agree, that's a pretty giant leap backwards.

I honestly don't get the benefit of issuing certificates if there are no checks and balances as to what devices they can be installed on.

Am I missing something?

krisdthompson · ‎12-27-2019

Agreed,

Without SCEP Proxy using the Enrollment Challenge Password, what is the point of the Certificate.

If the SCEP Proxy enrolls the user with a new certificate based simply on their AD password and group membership, how is that Enrollment protected without using the Challenge Password? What is the point of the Cert if all it takes is your AD login?

Please advise if MSCEP Enrollment Challenge is still supported with SCEP Proxy on the ASA.

A nice tight tech note would be MUCH appreciated.