View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

SEC0134 - SSL VPN AnyConnect Secure Mobility SCEP Proxy (Part 2)

Average: 5 (1 vote)
Difficulty Level: 
Lab Document: 
<Please login to see the content>
Video Download: 
Title: SEC0134 - Video Download $10.00
Purchase SEC0134 - Video Download $10.00
The video shows you how to configure SCEP proxy on Cisco AnyConnect Secure Mobility to help VPN clients remotely obtain an identity certificate without allowing client to communicate directly to an internal Certificate Authority (CA) server. We will also show you how to solve the problem of how to select a correct certificate for VPN authentication when VPN client possesses multiple identity certificate using Certificate Matching feature. A basic working knowledge of certificate and SCEP is recommended before viewing this video.
Part 2 of this video goes over Certificate Matching configuration, and testing
  • SCEP Proxy
  • SCEP Request and Enrollment
  • VPN Username/Certificate Authentication
  • Certificate Matching
  • AnyConnect on iPhone
  • AnyConnect on Android

About Author

Metha Cheiwanichakorn, CCIE#23585 (RS, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at, Metha enjoys learning and challenges himself with new Cisco technologies.


Hi Metha

At time-stamp 11:27, i thought that Radius was doing cert and aaa authentication. However i think that was not the case after watching the video. Could you please explain that why ASA is/was doing authentication when we have Radius configured.

Thank you and thanks for posting very useful demos.
Muhammad Khan

Certificate authentication is done between ASA and client without RADIUS server being involved. RADIUS server only comes in if you want to use it for authorization (eg. DACL, or other RADIUS attribute). Technically, you can complete client-based cert authentication without RADIUS server.