This document describes the use of Legacy Simple Certificate Enrollment Protocol (SCEP) on the Cisco Adaptive Security Appliance (ASA).
Caution: As of Cisco AnyConnect Release 3.0, this method should not be used. It was previously necessary because mobile devices did not have the 3.x client, but both Android and iPhones now have support for SCEP proxy, which should be used instead. Only in cases where it is not supported because of the ASA should you configure Legacy SCEP. However, even in these cases, an ASA upgrade is the recommended option.
Cisco recommends that you have knowledge of Legacy SCEP.
This document is not restricted to specific software and hardware versions.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
The SCEP is a protocol that is designed in order to make the distribution and revocation of digital certificates as scalable as possible. The idea is that any standard network user should be able to request a digital certificate electronically with very little intervention from network administrators. For VPN deployments that require certificate authentication with the enterprise, Certificate Authority (CA), or any third-party CA that supports SCEP, users can now request for signed certificates from the client machines without the involvement of the network administrators.
Note: If you desire to configure the ASA as the CA server, then SCEP is not the proper protocol method. Refer to The Local CA section of the Configuring Digital Certificates Cisco document instead.
As of ASA Release 8.3, there are two supported methods for SCEP:
The older method, called Legacy SCEP, is discussed in this document.
The SCEP proxy method is the newer of the two methods, where the ASA proxies the certificate enrollment request on behalf of the client. This process is cleaner because it does not require an extra tunnel group and is also more secure. However, the drawback is that SCEP proxy only works with Cisco AnyConnect Release 3.x. This means that the current AnyConnect client version for mobile devices does not support SCEP proxy.
This section provides information that you can use in order to configure the Legacy SCEP protocol method.
Here are some important notes to keep in mind when Legacy SCEP is used:
After the client receives the signed certificate, the ASA should recognize the CA that signed the certificate before it is able to authenticate the client. Therefore, you must ensure that the ASA also enrolls with the CA server. The enrollment process for the ASA should be the first step because it ensures that:
The CA is configured correctly and is able to issue certificates via SCEP if you use the URL enrollment method.
The ASA is able to communicate with the CA. Therefore, if the client cannot, then there is an issue between the client and the ASA.
When the first connection attempt is made, there will not be a signed certificate. There must be another option that can be used in order to authenticate the client.
In the certificate enrollment process, the ASA serves no role. It only serves as the VPN aggregator so that the client can build a tunnel in order to securely obtain the signed certificate. When the tunnel is established, the client must be able to reach the CA server. Otherwise, it is not be able to enroll.
Enroll the ASA
The ASA enrollment process is relatively easy and does not require any new information. Refer to the Enrolling the Cisco ASA to a CA Using SCEP document for more information about how to enroll the ASA to a third-party CA.
Configure a Tunnel for Enrollment Use
As mentioned previously, in order for the client to be able to obtain a certificate, a secure tunnel must be built with the ASA through a different method of authentication. In order to do this, you must configure one tunnel-group that is only used for the first connection attempt when a certificate request is made. Here is a snapshot of the configuration that is used, which defines this tunnel-group (the important lines are shown in bold-italics):
rtpvpnoutbound6(config)# show run user username cisco password ffIRPGpDSOJh9YLq encrypted privilege 0
rtpvpnoutbound6# show run group-policy gp_certenroll group-policy gp_certenroll internal group-policy gp_certenroll attributes wins-server none dns-server value <dns-server-ip-address>
vpn-tunnel-protocol ikev2 ssl-client ssl-clientless group-lock value certenroll split-tunnel-policy tunnelspecified split-tunnel-network-list value acl_certenroll default-domain value cisco.com webvpn anyconnect profiles value pro-sceplegacy type user
rtpvpnoutbound6# show run access-l acl_certenroll access-list acl_certenroll remark to allow access to the CA server access-list acl_certenroll standard permit host <ca-server-ipaddress>
rtpvpnoutbound6# show run all tun certenroll tunnel-group certenroll type remote-access tunnel-group certenroll general-attributes address-pool ap_fw-policy authentication-server-group LOCAL secondary-authentication-server-group none default-group-policy gp_certenroll tunnel-group certenroll webvpn-attributes authentication aaa group-alias certenroll enable
Here is the client profile that can either be pasted into a Notepad file and imported to the ASA, or it can be configured with the Adaptive Security Device Manager (ASDM) directly:
Note: A group-url is not configured for this tunnel-group. This is important because Legacy SCEP does not work with the URL. You must select the tunnel-group with its alias. This is because of Cisco bug ID CSCtq74054. If you experience issues because of the group-url, you might need to follow up on this bug.
Configure a Tunnel for User Certificate Authentication
When the signed ID certificate is received, connection with certificate authentication is possible. However, the actual tunnel-group that is used in order to connect has not yet been configured. This configuration is similar to the configuration for any other connection-profile. This term is synonymous with tunnel-group and not to be confused with client profile, which uses certificate authentication.
Here is a snapshot of the configuration that is used for this tunnel:
rtpvpnoutbound6(config)# show run access-l acl_fw-policy
access-list acl_fw-policy standard permit 192.168.1.0 255.255.255.0
rtpvpnoutbound6(config)# show run group-p gp_legacyscep group-policy gp_legacyscep internal group-policy gp_legacyscep attributes vpn-tunnel-protocol ssl-client split-tunnel-policy tunnelspecified split-tunnel-network-list value acl_fw-policy default-domain value cisco.com webvpn anyconnect modules value dart
rtpvpnoutbound6(config)# show run tunnel tg_legacyscep tunnel-group tg_legacyscep type remote-access tunnel-group tg_legacyscep general-attributes address-pool ap_fw-policy default-group-policy gp_legacyscep tunnel-group tg_legacyscep webvpn-attributes authentication certificate group-alias legacyscep enable group-url https://rtpvpnoutbound6.cisco.com/legacyscep enable
Renew the User Certificate
When the user certificate expires or is revoked, Cisco AnyConnect fails the certificate authentication. The only option is to reconnect to the certificate enrollment tunnel-group in order to trigger the SCEP enrollment again.
Use the information that is provided in this section in order to confirm that your configuration works properly.
Note: Since the Legacy SCEP method should only be implemented with the use of mobile devices, this section only deals with mobile clients.
Complete these steps in order to verify your configuration:
When you attempt to connect for the first time, enter the ASA hostname or IP address.
Select certenroll, or the group alias that you configured in the Configure a Tunnel for Enrollment Use section of this document. You are then prompted for a username and password, and the get certificate button is displayed.
Click the get certificate button.
If you check your client logs, this output should display:
Even though the last message shows error, it is only to inform the user that this step is necessary in order for that client to be used for the next connection attempt, which is in the second connection profile that is configured in the Configure a Tunnel for User Certificate Authentication section of this document.