And I'm getting exactly the same errors. The user in the thread reports he had to raise a TAC for the issue and they advised him how to fix it and cisco have given out an incorrect configuration guide to the public. The user only posts that he had to add 'extra trustpoints' to solve the issue. I've tried that and nothing happens.
When I use a IOS CA, the solution with SCEP proxying works perfectly, when I use a 2008 server as the CA, it enrolls the ASA fine, but refuses to enroll the clients via anyconnect and sends this error back via the ASDM when editing the group policy:
I am not sure if I understood correctly, but I believe it could be solved as the following.
1. Create a Tunnel-Group called 'CertEnroll' with AAA Auth only and have the profile for
this point to the SCEP/CA server.
2. Create a second Tunnel-Group called 'Mobile' with Cert Auth only.
In this scenario, the user would need to first fail cert auth by selecting the 'Mobile' Tunnel-Group (this should fail as the user does not have the appropriate cert).
Then, the user would need to select the 'CertEnroll' group which should point to the SCEP/CA server and enroll the user. Then, the user could connect via the 'Mobile' tunnel-group with their newly obtained certificate.
All, I have resolved this issue myself. I've got to say, without raising a TAC, Cisco's support on this issue is really poor. The support in this forum looks to be hit and miss at the very best, and there is no Cisco documentation of how to complete this process even though it's one of their 'major products' and its included in their examination criteria.
No one should be able to complete this with the current Cisco documentation, no one. If you're using a 2008 server with NDES, and trying to use proxy SCEP, then this solution and guidance from Cisco is completely un-doable.
If you need help with this error contact me directly as you're not going to get help from Cisco on it without a TAC.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :