Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

Anyconnect scep auto enrollment


I have a query about the setup for this. I have been following this procedure below. My asa is on version 8.2(5) and the anyconnect is version 3. The CA i am using is Windows server 2008. I have been testing with a Sub CA

I can open any connect and get prompted by the firewall to select the profile to use. I select the certenroll profile and login with AD credentials but keep getting authentication failed and nothing happens. The authentication on the profile is set to local but im not sure what this authenticates to or if the anyconnect profile relays this the CA server.

I have seen some videos which show more settings on the asdm for scep proxy settings. The method i am using is tunneling queries from the endpoint to the CA server. I am wondering if my version of anyconnect/firewall supports this and would i be best upgrading to version 9 of asa and use scep proxy instead of the tunnelling method.

Also just as a check on the CA side of things. Does the CA need to be running NDES to support requests sent from the firewall.

Everyone's tags (1)
Cisco Employee

Anyconnect scep auto enrollment

Scep-proxy was not integrated into the ASA until 8.4

If you want to do legacy scep, this should work.  Your Anyconnect version is ok, but we always suggest the latest in the 3.0/3.1 line for the most up-to-date bug fixes.

CreatePlease to create content