Cisco Cisco ASA 5512-X Adaptive Security Appliance - No Payload Encryption Manual Técnica
Configure a Tunnel for Enrollment Use
As mentioned previously, in order for the client to be able to obtain a certificate, a secure tunnel must be built
with the ASA through a different method of authentication. In order to do this, you must configure one
tunnel−group that is only used for the first connection attempt when a certificate request is made. Here is a
snapshot of the configuration that is used, which defines this tunnel−group (the important lines are shown in
bold−italics):
with the ASA through a different method of authentication. In order to do this, you must configure one
tunnel−group that is only used for the first connection attempt when a certificate request is made. Here is a
snapshot of the configuration that is used, which defines this tunnel−group (the important lines are shown in
bold−italics):
rtpvpnoutbound6(config)# show run user
username cisco password ffIRPGpDSOJh9YLq encrypted privilege 0
rtpvpnoutbound6# show run group−policy gp_certenroll
group−policy gp_certenroll internal
group−policy gp_certenroll attributes
wins−server none
dns−server value <dns−server−ip−address>
vpn−tunnel−protocol ikev2 ssl−client ssl−clientless
group−lock value certenroll
split−tunnel−policy tunnelspecified
split−tunnel−network−list value acl_certenroll
default−domain value cisco.com
webvpn
anyconnect profiles value pro−sceplegacy type user
rtpvpnoutbound6# show run access−l acl_certenroll
access−list acl_certenroll remark to allow access to the CA server
access−list acl_certenroll standard permit host <ca−server−ipaddress>
rtpvpnoutbound6# show run all tun certenroll
tunnel−group certenroll type remote−access
tunnel−group certenroll general−attributes
address−pool ap_fw−policy
authentication−server−group LOCAL
secondary−authentication−server−group none
default−group−policy gp_certenroll
tunnel−group certenroll webvpn−attributes
authentication aaa
group−alias certenroll enable
Here is the client profile that can either be pasted into a Notepad file and imported to the ASA, or it can be
configured with the Adaptive Security Device Manager (ASDM) directly:
configured with the Adaptive Security Device Manager (ASDM) directly:
<?xml version="1.0" encoding="UTF−8"?>
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema−instance"
xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">
<ClientInitialization>
<UseStartBeforeLogon UserControllable="true">false</UseStartBeforeLogon>
<AutomaticCertSelection UserControllable="true">false</AutomaticCertSelection>
<ShowPreConnectMessage>false</ShowPreConnectMessage>
<CertificateStore>All</CertificateStore>
<CertificateStoreOverride>false</CertificateStoreOverride>
<ProxySettings>Native</ProxySettings>
<AllowLocalProxyConnections>true</AllowLocalProxyConnections>
<AuthenticationTimeout>12</AuthenticationTimeout>
<AutoConnectOnStart UserControllable="true">false</AutoConnectOnStart>
<MinimizeOnConnect UserControllable="true">true</MinimizeOnConnect>
<LocalLanAccess UserControllable="true">false</LocalLanAccess>
<ClearSmartcardPin UserControllable="true">true</ClearSmartcardPin>
<AutoReconnect UserControllable="false">true
<AutoReconnectBehavior UserControllable="false">ReconnectAfterResume
</AutoReconnectBehavior>