Configuring proxy support for scep requests – Cisco ASA 5505 User Manual

Page 839

Advertising
background image

41-21

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 41 Configuring Digital Certificates

Configuring Digital Certificates

Configuring Proxy Support for SCEP Requests

To configure the ASA to authenticate remote access endpoints using third-party CAs, perform the
following steps:

Step 3

show

crypto ca server certificate

Example:

hostname/contexta(config)# show crypto ca server

certificate Main

Verifies that the enrollment process was successful by
displaying certificate details issued for the ASA and
the CA certificate for the trustpoint.

Step 4

write memory

Example:

hostname/contexta(config)# write memory

Saves the running configuration.

Command

Purpose

Command

Purpose

Step 1

crypto ikev2 enable outside client-services port

portnumber

Example:

hostname(config-tunnel-ipsec)# crypto ikev2 enable

outside client-services

Enables client services.

Note

Needed only if you support IKEv2.

Enter this command in tunnel-group ipsec-attributes
configuration mode.

The default port number is 443.

Step 2

scep-enrollment enable

Example:

hostname(config-tunnel-general)# scep-enrollment

enable

INFO: 'authentication aaa certificate' must be

configured to complete setup of this option.

Enables SCEP enrollment for the tunnel group.

Enter this command in tunnel-group
general-attributes configuration mode.

Step 3

scep-forwarding-url value

URL

Example:

hostname(config-group-policy)# scep-forwarding-url

value http://ca.example.com:80/

Enrolls the SCEP CA for the group policy.

Enter this command once per group policy to support
a third-party digital certificate. Enter the command in
group-policy general-attributes configuration mode.

URL is the SCEP URL on the CA.

Step 4

secondary-pre-fill-username clientless hide

use-common-password

password

Example:

hostname(config)# tunnel-group remotegrp

webvpn-attributes

hostname(config-tunnel-webvpn)#

secondary-pre-fill-username clientless hide

use-common-password secret

Supplies a common, secondary password when a
certificate is unavailable for WebLaunch support of
the SCEP proxy.

You must use the hide keyword to support the SCEP
proxy.

For example, a certificate is not available to an
endpoint requesting one. Once the endpoint has the
certificate, AnyConnect disconnects, then reconnects
to the ASA to qualify for a DAP policy that provides
access to internal network resources.

Advertising
This manual is related to the following products:

ASA 5585-X, ASA 5555-X, ASA 5545-X, ASA 5525-X, ASA 5515-X, ASA 5512-X, ASA 5580, ASA 5550, ASA 5540, ASA 5520, ASA 5510, ASA 5500 Series

Popular Brands
Popular manuals