41-21
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter41 Configuring Digital Certificates
Configuring Digital Certificates
Configuring Proxy Support for SCEP Requests
To configure the ASA to authenticate remote access endpoints using third-party CAs, perform the
following steps:
Step3 show crypto ca server certificate
Example:
hostname/contexta(config)# show crypto ca server
certificate Main
Verifies that the enrollment process was successful by
displaying certificate details issued for the ASA and
the CA certificate for the trustpoint.
Step4 write memory
Example:
hostname/contexta(config)# write memory
Saves the running configuration.
Command Purpose
Command Purpose
Step1 crypto ikev2 enable outside client-services port
portnumber
Example:
hostname(config-tunnel-ipsec)# crypto ikev2 enable
outside client-services
Enables client services.
Note Needed only if you support IKEv2.
Enter this command in tunnel-group ipsec-attributes
configuration mode.
The default port number is 443.
Step2 scep-enrollment enable
Example:
hostname(config-tunnel-general)# scep-enrollment
enable
INFO: 'authentication aaa certificate' must be
configured to complete setup of this option.
Enables SCEP enrollment for the tunnel group.
Enter this command in tunnel-group
general-attributes configuration mode.
Step3 scep-forwarding-url value URL
Example:
hostname(config-group-policy)# scep-forwarding-url
value http://ca.example.com:80/
Enrolls the SCEP CA for the group policy.
Enter this command once per group policy to support
a third-party digital certificate. Enter the command in
group-policy general-attributes configuration mode.
URL is the SCEP URL on the CA.
Step4 secondary-pre-fill-username clientless hide
use-common-password password
Example:
hostname(config)# tunnel-group remotegrp
webvpn-attributes
hostname(config-tunnel-webvpn)#
secondary-pre-fill-username clientless hide
use-common-password secret
Supplies a common, secondary password when a
certificate is unavailable for WebLaunch support of
the SCEP proxy.
You must use the hide keyword to support the SCEP
proxy.
For example, a certificate is not available to an
endpoint requesting one. Once the endpoint has the
certificate, AnyConnect disconnects, then reconnects
to the ASA to qualify for a DAP policy that provides
access to internal network resources.