You are here
SEC0213 - ISE 2.0 Internal CA SCEP with AnyConnect VPN (Part 1)
Difficulty Level:
Lab Document:
<Please login to see the content>
Category:
Security
The video shows you how to configure Cisco ISE 2.0 internal CA as a SCEP server for AnyConnect VPN client to obtain a certificate. We will go through basic configuration of ASA AnyConnect VPN to enable SCEP proxy. A test certificate request will be performed over VPN. Afterwards, we will configure the ASA to perform client certificate validity check using OCSP.
Part 1 of this video covers AnyConnect VPN configuration on ASA
Topic:
- ASA SCEP Proxy
- ASA AnyConnect VPN
- AnyConnect Client Profile
- Authorization Policy
- Certificate Revocation Check
- Online Certificate Status Protocol (OCSP)
9 comments
not able to add SCEP url to group policy
when I issue the command for scep under group-policy I get
Attempting to retrieve the CA/RA certificate(s) using the url. Please wait ...
WARNING; Failed to get CA/RA certificate(s): unknown content-type in the response from CA.
Template could be the issue for not getting SCEP?
following my previous comments, I've noticed that I don't have the CA_Service_Certificate_Template on my template List . could this be the reason why my ASA is not able to get Cert from ISE ( crypto ca authenticate ISE ) ?
how can I regenerate that Cert if is needed ?
thank you
Template could be the issue for not getting SCEP?
That is very possible. The Template should be there by default and it shouldn't let you delete it. Are you running version 2.0? SCEP service on ISE is meant for giving out cert as VPN user authenticate so you might not be able to use the 'crypto ca authenticate' command.
ISE 2.1 CA
Is it posible to use ISE 2.1 CA as a "regular" CA and not inside SCEP ? Thanks !
ISE 2.1 CA
You can via the Certificate provisioning protal. You can request a cert one at a time or in bulk similarly to MS CA. Keep in mind that ISE CA is not meant to be general-purpose CA and should only be use for network auth.
ISE 2.1 + BYOD
If I have alrready cert build from BYOD proccess, can I have access from AnyConnect using same cert ?
ISE 2.1 + BYOD
Absolutely. Certs are just cert. As long as you configure ISE to trust it, you can use it to authenticate for anything.
scep to a specific group only
Do you know if is it possible to restrict SCEP for a specific group of users (a group from ms ad)? how?
scep to a specific group only
You will probably need to create a separate Group-Policy and only assign users in the AD group to that policy.