View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

Home » Security » SEC0213 - ISE 2.0 Internal CA SCEP with AnyConnect VPN (Part 1)

SEC0213 - ISE 2.0 Internal CA SCEP with AnyConnect VPN (Part 1)

Rating: 
5
Average: 5 (1 vote)
Difficulty Level: 
0
Lab Document: 
<Please login to see the content>
Category: 
Security
The video shows you how to configure Cisco ISE 2.0 internal CA as a SCEP server for AnyConnect VPN client to obtain a certificate. We will go through basic configuration of ASA AnyConnect VPN to enable SCEP proxy. A test certificate request will be performed over VPN. Afterwards, we will configure the ASA to perform client certificate validity check using OCSP.
 
Part 1 of this video covers AnyConnect VPN configuration on ASA
 
Topic:
  • ASA SCEP Proxy
  • ASA AnyConnect VPN
  • AnyConnect Client Profile
  • Authorization Policy
  • Certificate Revocation Check
  • Online Certificate Status Protocol  (OCSP)
Tag: 
ISE
ise 2.0
asa
anyconnect
ca
certificate
ocsp
scep

About Author

Metha Chiewanichakorn, CCIE#23585 (Ent. Infra, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at labminutes.com, Metha enjoys learning and challenges himself with new technologies.
http://www.linkedin.com/in/methachiewanichakorn

9 comments

Submitted by Ditmar Tavares on Tue, 05/31/2016 - 12:07

when I issue the command for scep under group-policy I get

Attempting to retrieve the CA/RA certificate(s) using the url. Please wait ...
WARNING; Failed to get CA/RA certificate(s): unknown content-type in the response from CA.

Submitted by Ditmar Tavares on Wed, 06/01/2016 - 05:56

following my previous comments, I've noticed that I don't have the CA_Service_Certificate_Template on my template List . could this be the reason why my ASA is not able to get Cert from ISE ( crypto ca authenticate ISE ) ?
how can I regenerate that Cert if is needed ?

thank you

Submitted by admin on Wed, 06/01/2016 - 21:37

That is very possible. The Template should be there by default and it shouldn't let you delete it. Are you running version 2.0? SCEP service on ISE is meant for giving out cert as VPN user authenticate so you might not be able to use the 'crypto ca authenticate' command.

Submitted by wturra on Mon, 11/28/2016 - 11:31

Is it posible to use ISE 2.1 CA as a "regular" CA and not inside SCEP ? Thanks !

Submitted by admin on Tue, 11/29/2016 - 23:58

You can via the Certificate provisioning protal. You can request a cert one at a time or in bulk similarly to MS CA. Keep in mind that ISE CA is not meant to be general-purpose CA and should only be use for network auth.

Submitted by amatteo78 on Sat, 04/15/2017 - 12:07

If I have alrready cert build from BYOD proccess, can I have access from AnyConnect using same cert ?

Submitted by admin on Mon, 04/17/2017 - 22:01

Absolutely. Certs are just cert. As long as you configure ISE to trust it, you can use it to authenticate for anything.

Submitted by cecato on Fri, 05/19/2017 - 02:24

Do you know if is it possible to restrict SCEP for a specific group of users (a group from ms ad)? how?

Submitted by admin on Fri, 05/19/2017 - 14:25

You will probably need to create a separate Group-Policy and only assign users in the AD group to that policy.