Does anyone have AnyConnect working with SCEP certificate enrollment to a Microsoft CA? I've been attempting to get this working, but so far have had little luck. I have a Windows Server 2008 Standalone CA with the SCEP service installed and working. I can use SCEP on the ASA directly to enroll for identity certificates, so I know the service is working properly.
For the life of me, I can't get a AnyConnect to do SCEP enrollment. I've read the AnyConnect Administrator Guide and followed the instructions to create a SCEP enabled AnyConnect profile. Whenever I connect to my ASA using the SCEP enabled Group URL, AnyConnect is installed, the profile downloaded to the PC, and AnyConnect connects. AnyConnect never initiates the certificate enrollment, even though the client PC doesn't have a valid certificate at the time of login.
Any guidance, help, or known good example configurations would be helpful. I have a case open with Cisco on this, but I haven't gotten a lot of traction yet. 'm hoping somebody here has direct experience with this type of setup.
On my issues I just had the certs being issued from the Win CA incorrect, I had to issue the "Web Server" cert to the ASA, then a "Client" cert to the Apple iOS device. Once I had that all "right" .. everything worked like a charm.
Each time you change the cert being issued from NDES, I changed the registry to match(I just made copies of the Cert profiles instead of touching the original) then deploye each out.
Let me know if this helps.
(Sorry about the "huge" delayed repsonse, been swamped. )
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :