With Cisco Any Connect Mobility security, users can access the network with the device they prefer choice, including laptops and handhelds.They can easily and securely use the applications and get the information they need.As a founder of and an instructor at labminutes.com, Metha enjoys learning and challenges himself with new Cisco technologies. I'm have big issue with SCEP-proxy, maybe you can help me out.I've set it up just as in the video, however, when we connect with Android or Iphone and enter the AD credentials, we end up connected, and the ASA sends the SCEP request to the CA, but as we want to control what devices get a certificate, we've changed a setting in the CA template so that we have to issue the certificate manually.The Cisco® ASA 55xx Series Adaptive Security Appliance is a purpose-built platform that combines security and VPN services for small and medium-sized businesses and enterprise applications.The Cisco ASA 55xx Series enables customization for specific deployment environments and options, with special product editions for secure remote access (SSL/IPsec VPN), firewall, content security and intrusion prevention.When VASCO DIGIPASS is added to Cisco ASA 55xx series, the end-user will be asked for an OTP from the moment he wants to connect remotely to the corporate network. To validate the OTP, Cisco ASA 55xx Series will communicate with the IDENTIKEY Authentication Server, VASCO’s back-end authentication software, through RADIUS.
The following are the AAA authentication underlying protocols and servers that are supported as external database repositories: Using an external authentication server in medium and large deployments is recommended, for better scalability and easier management. no ip redirects no ip unreachables no ip proxy-arp ip mtu 1492 ip flow ingress ip nat outside ip virtual-reassembly in interface Dialer0 no ip redirects no ip unreachables no ip proxy-arp ip address negotiated ip mtu 1492 ip nat outside ip virtual-reassembly encapsulation ppp ip tcp adjust-mss 1452 dialer pool 1 ppp chap hostname [email protected] interface Vlan1 description Internal Network ip address 10.1.9.254 255.255.255.0 ip verify unicast reverse-path no ip redirects no ip proxy-arp ip nat inside ip virtual-reassembly load-interval 30 ! scheduler max-task-time 5000 scheduler interval 500 ntp access-group peer 3 ntp access-group serve 4 ntp master ntp server X. Not sure if relevant, but there is also a router in bridge mode the EFM provider installed the 1812 connects through. crypto isakmp policy 3 encr aes authentication pre-share group 5 lifetime 3600 crypto isakmp key PRESHAREDKEY address 220.127.116.11 no-xauth ! crypto ipsec transform-set myset esp-des esp-md5-hmac crypto ipsec transform-set myset1 esp-des esp-md5-hmac crypto ipsec transform-set myset2 esp-3des esp-md5-hmac crypto ipsec transform-set myset3 esp-aes 256 crypto ipsec transform-set myset4 esp-aes 256 esp-md5-hmac crypto ipsec transform-set myset5 esp-3des esp-sha-hmac mode transport ! interface Fast Ethernet1 no ip address shutdown duplex auto speed auto ! Now the ISAKMP is connected *Apr 2 .198: ISAKMP:(2125): Old State = IKE_QM_READY New State = IKE_QM_READY *Apr 2 .246: ISAKMP (25): received packet from 18.104.22.168 dport 500 sport 500 Global (I) QM_IDLE *Apr 2 .246: ISAKMP: set new node -505694825 to QM_IDLE *Apr 2 .246: crypto_engine: Decrypt IKE packet *Apr 2 .246: crypto_engine: Generate IKE hash *Apr 2 .246: ISAKMP:(2125): processing HASH payload. no spanning-tree vlan 1 no spanning-tree vlan 2 username ADMINUSERNAME password 0 ADMINPASSWORD archive log config hidekeys ! crypto dynamic-map dynmap 10 set transform-set myset reverse-route ! crypto map clientmap client authentication list userauthen crypto map clientmap isakmp authorization list groupauthor crypto map clientmap client configuration address respond crypto map clientmap 1 ipsec-isakmp set peer 22.214.171.124 set security-association lifetime seconds 28800 set transform-set myset myset1 myset2 myset3 myset4 myset5 match address 110 crypto map clientmap 10 ipsec-isakmp dynamic dynmap ! interface BRI0 no ip address encapsulation hdlc shutdown ! I even have TAC case opened with Cisco, but so far nothing.I believe the manual cert approval is not possible as by the time the cert is approved, the client may no longer connect to VPN. COM password 0 PAPPASSWORD ppp ipcp dns request accept crypto map clientmap ! access-list 1 remark IP Addresses Permitted to login via ssh and telnet access-list 1 permit 126.96.36.199 access-list 1 permit 10.1.9.0 0.0.0.255 access-list 1 permit 10.1.1.0 0.0.0.255 access-list 1 deny any access-list 3 remark NTP Server addresses access-list 3 permit X. COM ppp chap password 0 CHAPPASSWORD ppp pap sent-username [email protected] no ip http server no ip http secure-server ip nat inside source list 102 interface Dialer0 overload ip route 0.0.0.0 0.0.0.0 Dialer0 ! X access-list 4 remark Deny All access-list 4 deny any access-list 102 remark NAT access-list 102 deny ip 10.1.9.0 0.0.0.255 10.1.1.0 0.0.0.255 access-list 102 permit ip 10.1.9.0 0.0.0.255 any access-list 110 remark VPN access-list 110 permit ip 10.1.9.0 0.0.0.255 10.1.1.0 0.0.0.255 dialer-list 1 protocol ip permit no cdp run ! VASCO DIGIPASS offers one-time password (OTP) technology to protect user login.It ensures that only authenticated users get access.