cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3140
Views
0
Helpful
3
Replies

AnyConnect and SCEP Certificate Enrollment

jimsiff
Level 1
Level 1

Hello,

Does anyone have AnyConnect working with SCEP certificate enrollment to a Microsoft CA?  I've been attempting to get this working, but so far have had little luck.  I have a Windows Server 2008 Standalone CA with the SCEP service installed and working.  I can use SCEP on the ASA directly to enroll for identity certificates, so I know the service is working properly.

For the life of me, I can't get a AnyConnect to do SCEP enrollment.  I've read the AnyConnect Administrator Guide and followed the instructions to create a SCEP enabled AnyConnect profile.  Whenever I connect to my ASA using the SCEP enabled Group URL, AnyConnect is installed, the profile downloaded to the PC, and AnyConnect connects.  AnyConnect never initiates the certificate enrollment, even though the client PC doesn't have a valid certificate at the time of login.

Any guidance, help, or known good example configurations would be helpful.  I have a case open with Cisco on this, but I haven't gotten a lot of traction yet.  'm hoping somebody here has direct experience with this type of setup.

Thanks,

Jim

3 Replies 3

Shaun Bender
Level 4
Level 4

Hi Jim,

I'm kinda in the same boat, doing Apple iOS devices with Windows 2008 CA. I can issue the certs fine. Just having issues with the end device connecting using certificates.

If I configure the ASA as the local CA, using client certificates work fine.

Let me know what you find out.

Thanks,

Shaun

Tim Stretton
Level 1
Level 1

Let me know if you were able to solve this AnyConnect SCEP Cert enrollment.

Thanks!.

Hey,

On my issues I just had the certs being issued from the Win CA incorrect, I had to issue the "Web Server" cert to the ASA, then a "Client" cert to the Apple iOS device.  Once I had that all "right" .. everything worked like a charm. 

Each time you change the cert being issued from NDES, I changed the registry to match(I just made copies of the Cert profiles instead of touching the original)  then deploye each out.

Let me know if this helps.

(Sorry about the "huge" delayed repsonse, been swamped. )

-Shaun

Message was edited(spelling) by: Shaun  Bender

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: