Guest

Cisco ASA 5500-X Series Next-Generation Firewalls

Legacy SCEP with the use of the CLI Configuration Guide

Document ID: 113608

Updated: Apr 09, 2013

Contributed by Atri Basu, Cisco TAC Engineer.

   Print

Introduction

 Caution: As of AnyConnect Release 3.0, this method should not be used. It was previously necessary because mobile devices did not have the 3.x client, but now both Android and iPhones have support for SCEP Proxy and that should be used. Only in cases where it is not supported because of the Adaptive Security Appliance (ASA), should you configure Legacy SCEP. However, even in those cases ASA upgrade is the recommended option.

The Simple Certificate Enrollment Protocol (SCEP) is a protocol designed to make the distribution and revocation of digital certificates as scalable as possible. The idea is that any standard network user should be able to request their digital certificate electronically with very little intervention from network administrators. For VPN deployments that require certificate authentication with the enterprise Certificate Authority (CA) or any third-party CA that supports SCEP, users can now request for signed certificates from their client machines without the involvement of their network administrators. If the user wants to configure the ASA as the CA server, then SCEP is not proper protocol method. Refer to The Local CA section of the document "Configuring Digital Certificates" instead.

As of ASA Release 8.3, there are two supported methods of SCEP:

  1. The older method called Legacy SCEP is discussed in this document.
  2. SCEP proxy is the newer method where the ASA proxies the certificate enrollment request on behalf of the client. This process is cleaner because it does not require an extra tunnel group, and is also more secure. However, the drawback is that SCEP proxy only works with AC Release 3.x. This means that the current AC client version for mobile devices does not support SCEP proxy. You can find more information related to the feature parity between mobile clients and the latest AC client version documented in Cisco bug ID CSCtj95743 and check the j-comments.

Prerequisites

Requirements

Cisco recommends that you have knowledge of this topic:

  • Legacy SCEP

Components Used

This document is not restricted to specific software and hardware versions.

Conventions

For more information on document conventions, refer to Cisco Technical Tips Conventions.

Configuration Steps

When Legacy SCEP is used, there are a few things to remember:

  1. After the client has received the signed certificate, for the ASA to be able to authenticate the client it should recognize the CA that signed the certificate. Therefore, you need to ensure that the ASA has also enrolled with the CA server. The enrollment process of the ASA should be the first step because it establishes two things:
    1. The CA is configured correctly and able to issue certificates via SCEP, if you use URL for the enrollment method.
    2. The ASA is able to communicate with the CA. Therefore, if your client cannot, then it is an issue between the client and  the ASA.
  2. When the client attempts its first connection it will not have a signed certificate. There must be another option to authenticate the client.
  3. In the certificate enrollment process, the ASA serves no role. It only serves as the VPN aggregator so that the client can build a tunnel to securely obtain the signed certificate. When the tunnel is established, then the client must be able to reach the CA server. Otherwise, it is not be able to enroll. 

Step 1: Enroll the ASA

This step is relatively easy and does not require anything new. Refer to Enrolling the Cisco ASA to a CA Using SCEP for more information on how to enroll the ASA to a third-party CA.

Step 2: Configure the Tunnel to Use for Enrollment

As mentioned previously, in order for the client to be able to obtain a certificate, it must be able to build a secure tunnel with the ASA through some other method of authentication. In order to do this, you must configure one tunnel-group that is only  used for the very first connection attempt when the client makes a certificate request. Here is a snapshot of the configuration used that defines this tunnel-group. The important lines are marked in bold-italics.

rtpvpnoutbound6(config)# show run user
username cisco password ffIRPGpDSOJh9YLq encrypted privilege 0

rtpvpnoutbound6# show run group-policy gp_certenroll
group-policy gp_certenroll internal
group-policy gp_certenroll attributes
wins-server none
dns-server value <dns-server-ip-address>

vpn-tunnel-protocol ikev2 ssl-client ssl-clientless
group-lock value certenroll
split-tunnel-policy tunnelspecified
split-tunnel-network-list value acl_certenroll
default-domain value cisco.com
webvpn
anyconnect profiles value pro-sceplegacy type user

rtpvpnoutbound6# show run access-l acl_certenroll
access-list acl_certenroll remark to allow access to the CA server
access-list acl_certenroll standard permit host <ca-server-ipaddress>

rtpvpnoutbound6# show run all tun certenroll
tunnel-group certenroll type remote-access
tunnel-group certenroll general-attributes
address-pool ap_fw-policy
authentication-server-group LOCAL
secondary-authentication-server-group none
default-group-policy gp_certenroll
tunnel-group certenroll webvpn-attributes
authentication aaa
group-alias certenroll enable

Here is the client profile that you can either paste to a notepad file and import to the ASA, or you can configure it with the Adaptive Security Device Manager (ASDM) directly:

<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">
<ClientInitialization>
<UseStartBeforeLogon UserControllable="true">false</UseStartBeforeLogon>
<AutomaticCertSelection UserControllable="true">false</AutomaticCertSelection>
<ShowPreConnectMessage>false</ShowPreConnectMessage>
<CertificateStore>All</CertificateStore>
<CertificateStoreOverride>false</CertificateStoreOverride>
<ProxySettings>Native</ProxySettings>
<AllowLocalProxyConnections>true</AllowLocalProxyConnections>
<AuthenticationTimeout>12</AuthenticationTimeout>
<AutoConnectOnStart UserControllable="true">false</AutoConnectOnStart>
<MinimizeOnConnect UserControllable="true">true</MinimizeOnConnect>
<LocalLanAccess UserControllable="true">false</LocalLanAccess>
<ClearSmartcardPin UserControllable="true">true</ClearSmartcardPin>
<AutoReconnect UserControllable="false">true
<AutoReconnectBehavior UserControllable="false">ReconnectAfterResume
    </AutoReconnectBehavior>
</AutoReconnect>
<AutoUpdate UserControllable="false">true</AutoUpdate>
<RSASecurIDIntegration UserControllable="false">Automatic</RSASecurIDIntegration>
<WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement>
<WindowsVPNEstablishment>LocalUsersOnly</WindowsVPNEstablishment>
<AutomaticVPNPolicy>false</AutomaticVPNPolicy>
<PPPExclusion UserControllable="false">Disable
<PPPExclusionServerIP UserControllable="false"></PPPExclusionServerIP>
</PPPExclusion>
<EnableScripting UserControllable="false">false</EnableScripting>
<CertificateEnrollment>
<AutomaticSCEPHost>rtpvpnoutbound6.cisco.com/certenroll</AutomaticSCEPHost>
<CAURL PromptForChallengePW="false" >scep_url</CAURL>
<CertificateImportStore>All</CertificateImportStore>
<CertificateSCEP>
<Name_CN>%USER%</Name_CN>
<KeySize>2048</KeySize>
<DisplayGetCertButton>true</DisplayGetCertButton>
</CertificateSCEP>
</CertificateEnrollment>
<EnableAutomaticServerSelection UserControllable="false">false
<AutoServerSelectionImprovement>20</AutoServerSelectionImprovement>
<AutoServerSelectionSuspendTime>4</AutoServerSelectionSuspendTime>
</EnableAutomaticServerSelection>
<RetainVpnOnLogoff>false</RetainVpnOnLogoff>
</ClientInitialization>
<ServerList>
<HostEntry>
<HostName>rtpvpnoutbound6.cisco.com</HostName>
<HostAddress>rtpvpnoutbound6.cisco.com</HostAddress>
</HostEntry>
</ServerList>
</AnyConnectProfile>

Note: Notice that a group-url is not configured for this tunnel group. This is important because Legacy SCEP does not work the URL. You must select the tunnel group with its alias. This is because of Cisco Bug ID CSCtq74054If you experience issues because of the group-url you might need to follow-up on this bug. 

Step 3: Configure the Tunnel that is to be Used by the Client for Connection of User Certificates for Authentication

When the client has received the signed ID certificate, it can now connect with certificate authentication. However, the actual tunnel-group that the client uses to connnect has not yet been configured. This configuration is similar to how you configure any other connection-profile. This term is synonymous with tunnel-group and not to be confused with client profile, which uses certificate authentication. This is a snapshot of the configuration used for this tunnel:
 

rtpvpnoutbound6(config)# show run access-l acl_fw-policy

access-list acl_fw-policy standard permit 192.168.1.0 255.255.255.0

rtpvpnoutbound6(config)# show run group-p gp_legacyscep
group-policy gp_legacyscep internal
group-policy gp_legacyscep attributes
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value acl_fw-policy
default-domain value cisco.com
webvpn
anyconnect modules value dart

rtpvpnoutbound6(config)# show run tunnel tg_legacyscep
tunnel-group tg_legacyscep type remote-access
tunnel-group tg_legacyscep general-attributes
address-pool ap_fw-policy
default-group-policy gp_legacyscep
tunnel-group tg_legacyscep webvpn-attributes
authentication certificate
group-alias legacyscep enable
group-url https://rtpvpnoutbound6.cisco.com/legacyscep enable

Renew User Certificate

When the user certificate expires or is revoked, the AnyConnect fails the certificate authentication. The only option is to reconnect to the certificate enrollment tunnel-group in order to trigger the SCEP enrollment again. 

Verification

Currently, the only situation one should use Legacy SCEP is with the utilization of mobile devices. Therefore, this section only deals with mobile clients. When you attempt to connect the first time, enter the ASA's hostname or IP address. Then, select certenroll, or whatever group alias you configured in Step 2. You are then prompted for a username and password, and the get certificate button is displayed. Click the get certificate button. If you check your client logs, this output should display:

[06-22-12 11:23:45:121] <Information> - Contacting https://rtpvpnoutbound6.cisco.com.
[06-22-12 11:23:45:324] <Warning> - No valid certificates available for authentication.
[06-22-12 11:23:51:767] <Information> - Establishing VPN session...
[06-22-12 11:23:51:879] <Information> - Establishing VPN session...
[06-22-12 11:23:51:884] <Information> - Establishing VPN - Initiating connection...
[06-22-12 11:23:52:066] <Information> - Establishing VPN - Examining system...
[06-22-12 11:23:52:069] <Information> - Establishing VPN - Activating VPN adapter...
[06-22-12 11:23:52:594] <Information> - Establishing VPN - Configuring system...
[06-22-12 11:23:52:627] <Information> - Establishing VPN...
[06-22-12 11:23:52:734] <Information> - VPN session established to
   https://rtpvpnoutbound6.cisco.com.

[06-22-12 11:23:52:764] <Information> - Certificate Enrollment - Initiating, Please Wait.
[06-22-12 11:23:52:771] <Information> - Certificate Enrollment - Request forwarded.
[06-22-12 11:23:55:642] <Information> - Certificate Enrollment - Storing Certificate
[06-22-12 11:24:02:756] <Error> - Certificate Enrollment - Certificate successfully
imported. Please manually associate the certificate with your profile and reconnect.

Even though the last message shows error, it is only to inform the user that this step is necessary in order for that client to be used for the next connection attempt, which is in the second connection profile configured in Step 3.

Related Information

Updated: Apr 09, 2013
Document ID: 113608