Cisco Cisco ASA 5510 Adaptive Security Appliance Manuale Tecnico
</AutoReconnect>
<AutoUpdate UserControllable="false">true</AutoUpdate>
<RSASecurIDIntegration UserControllable="false">Automatic</RSASecurIDIntegration>
<WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement>
<WindowsVPNEstablishment>LocalUsersOnly</WindowsVPNEstablishment>
<AutomaticVPNPolicy>false</AutomaticVPNPolicy>
<PPPExclusion UserControllable="false">Disable
<PPPExclusionServerIP UserControllable="false"></PPPExclusionServerIP>
</PPPExclusion>
<EnableScripting UserControllable="false">false</EnableScripting>
<CertificateEnrollment>
<AutomaticSCEPHost>rtpvpnoutbound6.cisco.com/certenroll</AutomaticSCEPHost>
<CAURL PromptForChallengePW="false" >scep_url</CAURL>
<CertificateImportStore>All</CertificateImportStore>
<CertificateSCEP>
<Name_CN>%USER%</Name_CN>
<KeySize>2048</KeySize>
<DisplayGetCertButton>true</DisplayGetCertButton>
</CertificateSCEP>
</CertificateEnrollment>
<EnableAutomaticServerSelection UserControllable="false">false
<AutoServerSelectionImprovement>20</AutoServerSelectionImprovement>
<AutoServerSelectionSuspendTime>4</AutoServerSelectionSuspendTime>
</EnableAutomaticServerSelection>
<RetainVpnOnLogoff>false</RetainVpnOnLogoff>
</ClientInitialization>
<ServerList>
<HostEntry>
<HostName>rtpvpnoutbound6.cisco.com</HostName>
<HostAddress>rtpvpnoutbound6.cisco.com</HostAddress>
</HostEntry>
</ServerList>
</AnyConnectProfile>
Note: A group−url is not configured for this tunnel−group. This is important because Legacy SCEP does not
work with the URL. You must select the tunnel−group with its alias. This is because of Cisco bug
ID CSCtq74054. If you experience issues because of the group−url, you might need to follow up on this bug.
work with the URL. You must select the tunnel−group with its alias. This is because of Cisco bug
ID CSCtq74054. If you experience issues because of the group−url, you might need to follow up on this bug.
Configure a Tunnel for User Certificate Authentication
When the signed ID certificate is received, connection with certificate authentication is possible. However, the
actual tunnel−group that is used in order to connect has not yet been configured. This configuration is similar
to the configuration for any other connection−profile. This term is synonymous with tunnel−group and not to
be confused with client profile, which uses certificate authentication.
actual tunnel−group that is used in order to connect has not yet been configured. This configuration is similar
to the configuration for any other connection−profile. This term is synonymous with tunnel−group and not to
be confused with client profile, which uses certificate authentication.
Here is a snapshot of the configuration that is used for this tunnel:
rtpvpnoutbound6(config)# show run access−l acl_fw−policy
access−list acl_fw−policy standard permit 192.168.1.0 255.255.255.0
rtpvpnoutbound6(config)# show run group−p gp_legacyscep
group−policy gp_legacyscep internal
group−policy gp_legacyscep attributes
vpn−tunnel−protocol ssl−client
split−tunnel−policy tunnelspecified
split−tunnel−network−list value acl_fw−policy
default−domain value cisco.com
webvpn
anyconnect modules value dart
rtpvpnoutbound6(config)# show run tunnel tg_legacyscep
tunnel−group tg_legacyscep type remote−access