Hi Fawad, The server that`s listening on port 4434 is the ASDM service, not the SSL VPN one. SSL VPN is listening on the default 443 port as you can see bellow:
webvpn enable OUTSIDE enable MANA anyconnect-essentials anyconnect image disk0:/anyconnect-macosx-i386-3.1.05160-k9.pkg 1 anyconnect image disk0:/anyconnect-macosx-i386-3.1.05152-k9.pkg 2 anyconnect profiles XML-ANYCONNECT disk0:/xml-anyconnect.xml anyconnect enable tunnel-group-list enable java-trustpoint HM-CODE This portion of the code states that SSL is listening on the default port, which is 443. Till this part everything is ok and happening fine, which means it`s connecting, if I just disable certificate authentication and use AAA it works like a charm, what`s just not working is the certificate matching. Piotr stated that maybe it`s not downloading the CA Root certificate, do any of you guys know if when using SCEP with windows server the client should download the CA Root Certificate? BR, Bruno Silva. 2014-04-29 16:07 GMT-03:00 Fawad Khan <[email protected]>: > Http server is listening on a non standard port, could this be confusing > the client? > Try default 443. > > I am sorry, I am not into deployment much these days, other wise would > love to test and help. > > Regards > Fawad Khan > > > On Monday, April 28, 2014, Bruno Silva <[email protected]> wrote: > >> No one will even try to help me? I am kinda desperate...=\ >> >> >> 2014-04-25 8:34 GMT-03:00 Bruno Silva <[email protected]>: >> >>> Hi Guys, >>> >>> I have been trying to configure any connect dual authentication factor >>> with SCEP auto-enrollment. I was successful in configuring everything, >>> including the LDAP-Map group redirection with both group-policies using >>> simultaneous login 0 and the mapped with 3 simultaneous logins. Everything >>> happens fine but the certificate authentication. >>> >>> I can make the machine, the cel phone and other devices enroll correctly >>> with the CA, but when it tries to authenticate it fails and the enrollment >>> process happens again. >>> >>> I made some research and found out about the EKU bug with Cisco, but >>> even matching the fields of EK and EKU the any connect client cannot match >>> the certificate and the enrollment process loops itself forever. Last night >>> it did the process 8 times until I stopped it manually and revoked the >>> certificates. >>> >>> Can anyone help me finding out why the certificate is not being matched >>> properly? Is there anything I should configure on the xml file? >>> >>> I am pretty sure it`s something on the certificate matching but I can`t >>> find what. I`ll be very glad if you can help me. The attachment is the ASA >>> lab configuration that I am using so far. >>> >>> Thank you, >>> -- >>> Bruno Silva >>> Network Consultant >>> Cisco CCNA/CCDA/CCNP/CCDP/CCSP Certified >>> Arcsight Professional Certified - ACIA/ACSA >>> >> >> >> >> -- >> Bruno Silva >> Network Consultant >> Cisco CCNA/CCDA/CCNP/CCDP/CCSP Certified >> Arcsight Professional Certified - ACIA/ACSA >> > > > -- > > Fawad Khan > > "This message is sent using a smartphone application , I apologize for any > spelling or grammatical mistake also if the message is too short in length > or description". > Thank you. > -- Bruno Silva Network Consultant Cisco CCNA/CCDA/CCNP/CCDP/CCSP Certified Arcsight Professional Certified - ACIA/ACSA
_______________________________________________ Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: iPexpert on YouTube: www.youtube.com/ipexpertinc
