View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

SEC0134 - SSL VPN AnyConnect Secure Mobility SCEP Proxy (Part 1)

Rating: 
5
Average: 5 (1 vote)
Difficulty Level: 
0
Lab Document: 
<Please login to see the content>
The video shows you how to configure SCEP proxy on Cisco AnyConnect Secure Mobility to help VPN clients remotely obtain an identity certificate without allowing client to communicate directly to an internal Certificate Authority (CA) server. We will also show you how to solve the problem of how to select a correct certificate for VPN authentication when VPN client possesses multiple identity certificate using Certificate Matching feature. A basic working knowledge of certificate and SCEP is recommended before viewing this video.
 
Part 1 of this video goes over SCEP Proxy configuration, and testing
 
Topic:
  • SCEP Proxy
  • SCEP Request and Enrollment
  • VPN Username/Certificate Authentication
  • Certificate Matching
  • AnyConnect on iPhone
  • AnyConnect on Android

About Author

Metha Chiewanichakorn, CCIE#23585 (Ent. Infra, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at labminutes.com, Metha enjoys learning and challenges himself with new technologies.

6 comments

Hey Master, just wondering how to enroll anyconnect with IOS CA in your lab scenario? what's the SCEP Url under tunnel-group and group policy regarding IOS CA?

thanks,

From the link below, it seems like just the router IP with TCP/80.

http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation...

Love your videos, very informative! I'm have big issue with SCEP-proxy, maybe you can help me out.
I've set it up just as in the video, however, when we connect with Android or Iphone and enter the AD credentials, we end up connected, and the ASA sends the SCEP request to the CA, but as we want to control what devices get a certificate, we've changed a setting in the CA template so that we have to issue the certificate manually. BUT, even if I don't issue the certificate, both Android and Iphone stay connected, and can access internal resources anyway. They should no be able to do this without a certificate, any clues? I even have TAC case opened with Cisco, but so far nothing.

I believe the manual cert approval is not possible as by the time the cert is approved, the client may no longer connect to VPN. As long as the user can successfully authenticate to AD, they will connect but you can limit what access it will have and once they have successfully obtain certificate, you can switch them to another group policy that give them more access.

when I enter the scep url command under the group-policy I am getting this error
Attempting to retrieve the CA/RA certificate(s) using the URL. Please wait ...
WARNING: Failed to get CA/RA certificate(s): Unknown content-type in the response from CA.

Can you validate that your cert and scep server is setup properly? Can you create a trustpoint on the ASA and try to authenticate? Do you see any error message on the CA?