Does anyone have AnyConnect working with SCEP certificate enrollment to a Microsoft CA? I've been attempting to get this working, but so far have had little luck. I have a Windows Server 2008 Standalone CA with the SCEP service installed and working. I can use SCEP on the ASA directly to enroll for identity certificates, so I know the service is working properly.
For the life of me, I can't get a AnyConnect to do SCEP enrollment. I've read the AnyConnect Administrator Guide and followed the instructions to create a SCEP enabled AnyConnect profile. Whenever I connect to my ASA using the SCEP enabled Group URL, AnyConnect is installed, the profile downloaded to the PC, and AnyConnect connects. AnyConnect never initiates the certificate enrollment, even though the client PC doesn't have a valid certificate at the time of login.
Any guidance, help, or known good example configurations would be helpful. I have a case open with Cisco on this, but I haven't gotten a lot of traction yet. 'm hoping somebody here has direct experience with this type of setup.