Cisco Systems ASA5515K9 Network Router User Manual

Open as PDF

of 1994

41-21

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 41 Configuring Digital Certificates

Configuring Digital Certificates

Configuring Proxy Support for SCEP Requests

To configure the ASA to authenticate remote access endpoints using third-party CAs, perform the

following steps:

Step 3

show crypto ca server certificate

Example:

hostname/contexta(config)# show crypto ca server

certificate Main

Verifies that the enrollment process was successful by

displaying certificate details issued for the ASA and

the CA certificate for the trustpoint.

Step 4

write memory

Example:

hostname/contexta(config)# write memory

Saves the running configuration.

Command Purpose

Step 1

crypto ikev2 enable outside client-services port

portnumber

Example:

hostname(config-tunnel-ipsec)# crypto ikev2 enable

outside client-services

Enables client services.

Note Needed only if you support IKEv2.

Enter this command in tunnel-group ipsec-attributes

configuration mode.

The default port number is 443.

Step 2

scep-enrollment enable

Example:

hostname(config-tunnel-general)# scep-enrollment

enable

INFO: 'authentication aaa certificate' must be

configured to complete setup of this option.

Enables SCEP enrollment for the tunnel group.

Enter this command in tunnel-group

general-attributes configuration mode.

Step 3

scep-forwarding-url value URL

Example:

hostname(config-group-policy)# scep-forwarding-url

value http://ca.example.com:80/

Enrolls the SCEP CA for the group policy.

Enter this command once per group policy to support

a third-party digital certificate. Enter the command in

group-policy general-attributes configuration mode.

URL is the SCEP URL on the CA.

Step 4

secondary-pre-fill-username clientless hide

use-common-password password

Example:

hostname(config)# tunnel-group remotegrp

webvpn-attributes

hostname(config-tunnel-webvpn)#

secondary-pre-fill-username clientless hide

use-common-password secret

Supplies a common, secondary password when a

certificate is unavailable for WebLaunch support of

the SCEP proxy.

You must use the hide keyword to support the SCEP

proxy.

For example, a certificate is not available to an

endpoint requesting one. Once the endpoint has the

certificate, AnyConnect disconnects, then reconnects

to the ASA to qualify for a DAP policy that provides

access to internal network resources.

previous next

Top Automotive Device Types

Top Automotive Brands

Top Baby Care Device Types

Top Baby Care Brands

Top Car Audio & Video Device Types

Top Car Audio & Video Brands

Top Cellphone Device Types

Top Cellphone Brands

Top Communications Device Types

Top Communications Brands

Top Computer Device Types

Top Computer Brands

Top Fitness Device Types

Top Fitness Brands

Top Home Audio Device Types

Top Home Audio Brands

Top Household Appliance Device Types

Top Household Appliance Brands

Top Kitchen Appliance Device Types

Top Kitchen Appliance Brands

Top Laundry Appliance Device Types

Top Laundry Appliance Brands

Top Lawn & Garden Device Types

Top Lawn & Garden Brands

Top Marine Equipment Device Types

Top Marine Equipment Brands

Top Musical Instrument Device Types

Top Musical Instrument Brands

Top Outdoor Cooking Device Types

Top Outdoor Cooking Brands

Top Personal Care Device Types

Top Personal Care Brands

Top Photography Device Types

Top Photography Brands

Top Portable Media Device Types

Top Portable Media Brands

Top Power Tools Device Types

Top Power Tools Brands

Top TV and Video Device Types

Top TV and Video Brands

Top Videogame Device Types

Top Videogame Brands

Cisco Systems ASA5515K9 Network Router User Manual