View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

SEC0134 - SSL VPN AnyConnect Secure Mobility SCEP Proxy (Part 2)

Rating: 
5
Average: 5 (1 vote)
Difficulty Level: 
0
Lab Document: 
<Please login to see the content>
The video shows you how to configure SCEP proxy on Cisco AnyConnect Secure Mobility to help VPN clients remotely obtain an identity certificate without allowing client to communicate directly to an internal Certificate Authority (CA) server. We will also show you how to solve the problem of how to select a correct certificate for VPN authentication when VPN client possesses multiple identity certificate using Certificate Matching feature. A basic working knowledge of certificate and SCEP is recommended before viewing this video.
 
Part 2 of this video goes over Certificate Matching configuration, and testing
 
Topic:
  • SCEP Proxy
  • SCEP Request and Enrollment
  • VPN Username/Certificate Authentication
  • Certificate Matching
  • AnyConnect on iPhone
  • AnyConnect on Android

About Author

Metha Chiewanichakorn, CCIE#23585 (Ent. Infra, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at labminutes.com, Metha enjoys learning and challenges himself with new technologies.

4 comments

Hi Metha

At time-stamp 11:27, i thought that Radius was doing cert and aaa authentication. However i think that was not the case after watching the video. Could you please explain that why ASA is/was doing authentication when we have Radius configured.

Thank you and thanks for posting very useful demos.
Muhammad Khan

Certificate authentication is done between ASA and client without RADIUS server being involved. RADIUS server only comes in if you want to use it for authorization (eg. DACL, or other RADIUS attribute). Technically, you can complete client-based cert authentication without RADIUS server.

Beside SCEP is there any other way to enroll/transfer/import certificate on apple device? I though I did using an MDM solution but the certificae does not show under AnyConnect>myvpnprofile>Advance>Certificate>Automatic.

I keep getting "This connection requires a client certificate, but no matching certificate is configured."

And I can see the client certificate is intsalled under Settings>General>VPN & Device Management> Mobile Device Management.

Thanks

Most MDM vendor allows you to associate certificate profile to the VPN profile so when it is pushed to client, AnyConnect know which cert to use.You also may want to look into cert matching setting in client profile as well to make sure a cert with matching criteria is selected.