Cisco Cisco ASA 5510 Adaptive Security Appliance Manuale Tecnico
Background Information
The SCEP is a protocol that is designed in order to make the distribution and revocation of digital certificates
as scalable as possible. The idea is that any standard network user should be able to request a digital certificate
electronically with very little intervention from network administrators. For VPN deployments that require
certificate authentication with the enterprise, Certificate Authority (CA), or any third−party CA that supports
SCEP, users can now request for signed certificates from the client machines without the involvement of the
network administrators.
as scalable as possible. The idea is that any standard network user should be able to request a digital certificate
electronically with very little intervention from network administrators. For VPN deployments that require
certificate authentication with the enterprise, Certificate Authority (CA), or any third−party CA that supports
SCEP, users can now request for signed certificates from the client machines without the involvement of the
network administrators.
Note: If you desire to configure the ASA as the CA server, then SCEP is not the proper protocol method.
Refer to The Local CA section of the Configuring Digital Certificates Cisco document instead.
Refer to The Local CA section of the Configuring Digital Certificates Cisco document instead.
As of ASA Release 8.3, there are two supported methods for SCEP:
The older method, called Legacy SCEP, is discussed in this document.
•
The SCEP proxy method is the newer of the two methods, where the ASA proxies the certificate
enrollment request on behalf of the client. This process is cleaner because it does not require an extra
tunnel group and is also more secure. However, the drawback is that SCEP proxy only works with
Cisco AnyConnect Release 3.x. This means that the current AnyConnect client version for mobile
devices does not support SCEP proxy.
enrollment request on behalf of the client. This process is cleaner because it does not require an extra
tunnel group and is also more secure. However, the drawback is that SCEP proxy only works with
Cisco AnyConnect Release 3.x. This means that the current AnyConnect client version for mobile
devices does not support SCEP proxy.
•
Configure
This section provides information that you can use in order to configure the Legacy SCEP protocol method.
Note: Use the Command Lookup Tool (registered customers only) in order to obtain more information on the
commands used in this section.
commands used in this section.
Here are some important notes to keep in mind when Legacy SCEP is used:
After the client receives the signed certificate, the ASA should recognize the CA that signed the
certificate before it is able to authenticate the client. Therefore, you must ensure that the ASA also
enrolls with the CA server. The enrollment process for the ASA should be the first step because it
ensures that:
certificate before it is able to authenticate the client. Therefore, you must ensure that the ASA also
enrolls with the CA server. The enrollment process for the ASA should be the first step because it
ensures that:
The CA is configured correctly and is able to issue certificates via SCEP if you use the URL
enrollment method.
enrollment method.
♦
The ASA is able to communicate with the CA. Therefore, if the client cannot, then there is an
issue between the client and the ASA.
issue between the client and the ASA.
♦
•
When the first connection attempt is made, there will not be a signed certificate. There must be
another option that can be used in order to authenticate the client.
another option that can be used in order to authenticate the client.
•
In the certificate enrollment process, the ASA serves no role. It only serves as the VPN aggregator so
that the client can build a tunnel in order to securely obtain the signed certificate. When the tunnel is
established, the client must be able to reach the CA server. Otherwise, it is not be able to enroll.
that the client can build a tunnel in order to securely obtain the signed certificate. When the tunnel is
established, the client must be able to reach the CA server. Otherwise, it is not be able to enroll.
•
Enroll the ASA
The ASA enrollment process is relatively easy and does not require any new information. Refer to
the Enrolling the Cisco ASA to a CA Using SCEP document for more information about how to enroll the
ASA to a third−party CA.
the Enrolling the Cisco ASA to a CA Using SCEP document for more information about how to enroll the
ASA to a third−party CA.