Cisco ASA Series Cli Configuration Manual page 957
Software version 9.0 for the services module
Hide thumbs
Also See for ASA Series:
- Configuration manual (429 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
Chapter 1
Configuring Digital Certificates
Command
Step 3
show crypto ca server certificate
Example:
hostname/contexta(config)# show crypto ca server
certificate Main
Step 4
write memory
Example:
hostname/contexta(config)# write memory
Configuring Proxy Support for SCEP Requests
To configure the ASA to authenticate remote access endpoints using third-party CAs, perform the
following steps:
Command
Step 1
crypto ikev2 enable outside client-services port
portnumber
Example:
hostname(config-tunnel-ipsec)# crypto ikev2 enable
outside client-services
Step 2
scep-enrollment enable
Example:
hostname(config-tunnel-general)# scep-enrollment
enable
INFO: 'authentication aaa certificate' must be
configured to complete setup of this option.
Step 3
scep-forwarding-url value URL
Example:
hostname(config-group-policy)# scep-forwarding-url
value http://ca.example.com:80/
Step 4
secondary-pre-fill-username clientless hide
use-common-password password
Example:
hostname(config)# tunnel-group remotegrp
webvpn-attributes
hostname(config-tunnel-webvpn)#
secondary-pre-fill-username clientless hide
use-common-password secret
Configuring Digital Certificates
Purpose
Verifies that the enrollment process was successful by
displaying certificate details issued for the ASA and
the CA certificate for the trustpoint.
Saves the running configuration.
Purpose
Enables client services.
Note
Needed only if you support IKEv2.
Enter this command in tunnel-group ipsec-attributes
configuration mode.
The default port number is 443.
Enables SCEP enrollment for the tunnel group.
Enter this command in tunnel-group
general-attributes configuration mode.
Enrolls the SCEP CA for the group policy.
Enter this command once per group policy to support
a third-party digital certificate. Enter the command in
group-policy general-attributes configuration mode.
URL is the SCEP URL on the CA.
Supplies a common, secondary password when a
certificate is unavailable for WebLaunch support of
the SCEP proxy.
You must use the hide keyword to support the SCEP
proxy.
For example, a certificate is not available to an
endpoint requesting one. Once the endpoint has the
certificate, AnyConnect disconnects, then reconnects
to the ASA to qualify for a DAP policy that provides
access to internal network resources.
Cisco ASA Series CLI Configuration Guide
1-21
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
