I've succesfully set up our ASA with SCEP against our internal Microsoft CA server, and sent requests for both a CA certificate and an ID cert. Both have been deployed successfully, and I can request the CRL list from the ASA with the internal CA certificate selected.
The CRL request is successful, and I can see in the CRL list, that my test computer is among those computer certificates revoked on the server. So far so good.
Problem is: even though the computer certificate has been revoked, the computer still authenticates without problems, and connects with VPN. We are using AnyConnect 2.4 by the way.
I've tried with cert-only authentication in the connection profile (cause maybe it was the radius letting me in), but I still get access.
Is there anything I have missed? Is there a setting somewhere where I have to configure a "deny access" for revoked certs?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...