I thought that whenever we made the SCEP auto-enroll the certificate chain should be provided from the server, not just the machine certificate itself. Seems strange to me, gonna try installing the root ca certificate and see what happens.
BR, Bruno Silva. 2014-04-29 16:18 GMT-03:00 Fawad Khan <[email protected]>: > I think The root ca needs to be pre-installed on the server. > This may sound stupid, but again I haven't done this ever, hence just > throwing blanks. > > On Tuesday, April 29, 2014, Bruno Silva <[email protected]> wrote: > >> Hi Fawad, >> >> The server that`s listening on port 4434 is the ASDM service, not the SSL >> VPN one. SSL VPN is listening on the default 443 port as you can see bellow: >> >> webvpn >> enable OUTSIDE >> enable MANA >> anyconnect-essentials >> anyconnect image disk0:/anyconnect-macosx-i386-3.1.05160-k9.pkg 1 >> anyconnect image disk0:/anyconnect-macosx-i386-3.1.05152-k9.pkg 2 >> anyconnect profiles XML-ANYCONNECT disk0:/xml-anyconnect.xml >> anyconnect enable >> tunnel-group-list enable >> java-trustpoint HM-CODE >> >> This portion of the code states that SSL is listening on the default >> port, which is 443. Till this part everything is ok and happening fine, >> which means it`s connecting, if I just disable certificate authentication >> and use AAA it works like a charm, what`s just not working is the >> certificate matching. Piotr stated that maybe it`s not downloading the CA >> Root certificate, do any of you guys know if when using SCEP with windows >> server the client should download the CA Root Certificate? >> >> BR, >> Bruno Silva. >> >> >> 2014-04-29 16:07 GMT-03:00 Fawad Khan <[email protected]>: >> >>> Http server is listening on a non standard port, could this be confusing >>> the client? >>> Try default 443. >>> >>> I am sorry, I am not into deployment much these days, other wise would >>> love to test and help. >>> >>> Regards >>> Fawad Khan >>> >>> >>> On Monday, April 28, 2014, Bruno Silva <[email protected]> wrote: >>> >>>> No one will even try to help me? I am kinda desperate...=\ >>>> >>>> >>>> 2014-04-25 8:34 GMT-03:00 Bruno Silva <[email protected]>: >>>> >>>>> Hi Guys, >>>>> >>>>> I have been trying to configure any connect dual authentication factor >>>>> with SCEP auto-enrollment. I was successful in configuring everything, >>>>> including the LDAP-Map group redirection with both group-policies using >>>>> simultaneous login 0 and the mapped with 3 simultaneous logins. Everything >>>>> happens fine but the certificate authentication. >>>>> >>>>> I can make the machine, the cel phone and other devices enroll >>>>> correctly with the CA, but when it tries to authenticate it fails and the >>>>> enrollment process happens again. >>>>> >>>>> I made some research and found out about the EKU bug with Cisco, but >>>>> even matching the fields of EK and EKU the any connect client cannot match >>>>> the certificate and the enrollment process loops itself forever. Last >>>>> night >>>>> it did the process 8 times until I stopped it manually and revoked the >>>>> certificates. >>>>> >>>>> Can anyone help me finding out why the certificate is not being >>>>> matched properly? Is there anything I should configure on the xml file? >>>>> >>>>> I am pretty sure it`s something on the certificate matching but I >>>>> can`t find what. I`ll be very glad if you can help me. The attachment is >>>>> the ASA lab configuration that I am using so far. >>>>> >>>>> Thank you, >>>>> -- >>>>> Bruno Silva >>>>> Network Consultant >>>>> Cisco CCNA/CCDA/CCNP/CCDP/CCSP Certified >>>>> Arcsight Professional Certified - ACIA/ACSA >>>>> >>>> >>>> >>>> >>>> -- >>>> Bruno Silva >>>> Network Consultant >>>> Cisco CCNA/CCDA/CCNP/CCDP/CCSP Certified >>>> Arcsight Professional Certified - ACIA/ACSA >>>> >>> >>> >>> -- >>> >>> Fawad Khan >>> >>> "This message is sent using a smartphone application , I apologize for >>> any spelling or grammatical mistake also if the message is too short in >>> length or description". >>> Thank you. >>> >> >> >> >> -- >> Bruno Silva >> Network Consultant >> Cisco CCNA/CCDA/CCNP/CCDP/CCSP Certified >> Arcsight Professional Certified - ACIA/ACSA >> > > > -- > > Fawad Khan > > "This message is sent using a smartphone application , I apologize for any > spelling or grammatical mistake also if the message is too short in length > or description". > Thank you. > -- Bruno Silva Network Consultant Cisco CCNA/CCDA/CCNP/CCDP/CCSP Certified Arcsight Professional Certified - ACIA/ACSA
_______________________________________________ Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: iPexpert on YouTube: www.youtube.com/ipexpertinc
