View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

SEC0213 - ISE 2.0 Internal CA SCEP with AnyConnect VPN (Part 1)

Average: 5 (1 vote)
Difficulty Level: 
Lab Document: 
<Please login to see the content>
Video Download: 
Title: SEC0213 - Video Download $11.00
Purchase SEC0213 - Video Download $11.00
The video shows you how to configure Cisco ISE 2.0 internal CA as a SCEP server for AnyConnect VPN client to obtain a certificate. We will go through basic configuration of ASA AnyConnect VPN to enable SCEP proxy. A test certificate request will be performed over VPN. Afterwards, we will configure the ASA to perform client certificate validity check using OCSP.
Part 1 of this video covers AnyConnect VPN configuration on ASA
  • ASA SCEP Proxy
  • ASA AnyConnect VPN
  • AnyConnect Client Profile
  • Authorization Policy
  • Certificate Revocation Check
  • Online Certificate Status Protocol  (OCSP)

About Author

Metha Cheiwanichakorn, CCIE#23585 (RS, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at, Metha enjoys learning and challenges himself with new Cisco technologies.


when I issue the command for scep under group-policy I get

Attempting to retrieve the CA/RA certificate(s) using the url. Please wait ...
WARNING; Failed to get CA/RA certificate(s): unknown content-type in the response from CA.

following my previous comments, I've noticed that I don't have the CA_Service_Certificate_Template on my template List . could this be the reason why my ASA is not able to get Cert from ISE ( crypto ca authenticate ISE ) ?
how can I regenerate that Cert if is needed ?

thank you

That is very possible. The Template should be there by default and it shouldn't let you delete it. Are you running version 2.0? SCEP service on ISE is meant for giving out cert as VPN user authenticate so you might not be able to use the 'crypto ca authenticate' command.

Is it posible to use ISE 2.1 CA as a "regular" CA and not inside SCEP ? Thanks !

You can via the Certificate provisioning protal. You can request a cert one at a time or in bulk similarly to MS CA. Keep in mind that ISE CA is not meant to be general-purpose CA and should only be use for network auth.

If I have alrready cert build from BYOD proccess, can I have access from AnyConnect using same cert ?

Absolutely. Certs are just cert. As long as you configure ISE to trust it, you can use it to authenticate for anything.

Do you know if is it possible to restrict SCEP for a specific group of users (a group from ms ad)? how?

You will probably need to create a separate Group-Policy and only assign users in the AD group to that policy.