I am facing the following issue in AnyConnect VPN deployment.
Requirement - Users should receive ANyConnect Profile, which has SCEP enabled, so that they can request a certificate from the organization Microsoft CA.
i already have a Certificate on ASA from the same CA and i want to use certificate authentication for ANyconnect.
ASA version is 8.4, i defined the flow as
1: Create User > bind it with a group policy > bind group policy with tunnel-group ( Connection profile)
2: Define a profile ( that has SCEp enabled & CA information URL etc..) and bind it with the group policy and also add it under
AnyConnect Profile ....
when i initiate https://ASA_Ip_Address i authenticate with the username/password created above, Anyconnect is installed and i am connected, but profile is no tis downloaded, because i see no change on my Anyonnect Screen to request for a certificate. it remains the same, as no profile is available.
have followed the standard procedure,.. Plz guide me, what could be going wrong.
Any inputs from your side will be highly appreicated.
It sounds like you are going about it correctly. You didn't mention all the details you setup or provide the configuration, but I recommend you review the steps for SCEP in the AnyConnect Admin Guide here.
Have you examined the profile (.xml file) on your ASA to verify it has the parameters you expect? If it does, you could try manually copying the xml onto a test client to see if it then behaves in the way you desire. The location is resides in in %ProgramData%\Cisco\Cisco AnyConnect Secure Mobility Client\Profile for Windows 7 clients.
In Windows 7 client, the AnyConnect profile (xml file) gets downloaded into %ProgramData%\Cisco\Cisco AnyConnect Secure Mobility Client\Profile automatically when it works as you desire. In cases where one wants to not automatically download (e.g., pre-deployment scenario), it can be manually copied into that location. If you do that, it will at least validate the profile works.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :