Wednesday, 21 January 2015

Cisco ASA SCEP Proxy Enrollment - Part 2


Here we will show the configuration of SCEP Enrollment methods (manual enrollment doesn't require any configuration at VPN server since the user is connecting directly to CA server).

Devices User

  • ASA5545-X as AnyConnect VPN server with OS 9.0(2)
  • MS Windows 2012 as CA server
  • Windows7, MAC OSX, iPhone, Android running AnyConnect Client 3.0+.

Note: Deploying CA server locally on ASA will make it simpler to issue certificates to anyconnect users. The challenge that Local CA and ASA Failover are mutually exclusive. You can't run both at the same time. Accordingly, majority of organizations will use  external CAs to be able to run ASA failover.

MS CA Configuration


  1. Disable SCEP Enrollment Challenge Password Requirement

By default, the Microsoft SCEP (MSCEP) implementation uses a dynamic challenge password in order to authenticate clients and endpoints throughout the certificate enrollment process. With this configuration requirement in place, you must browse to the MSCEP admin web GUI on the NDES server in order to generate a password on-demand. You must include this password as part of the registration request. This will not make the process fully automated.

To disable password challenge feature:
  1. On CA server, open the Group Policy Management console.
  2. In the console tree, double-click Group Policy Objects in the forest and domain containing the Default Domain Policy Group Policy object (GPO) that you want to edit.
  3. Right-click the Default Domain Policy GPO, and then click Edit.
  4. In the Group Policy Management Console (GPMC), click User Configuration, Policies, Windows Settings, Security Settings, and then click Public Key Policies.
  5. Double-click Certificate Services Client - Auto-Enrollment.
  6. In Configuration Model, select Enabled to enable autoenrollment. If you want to disable autoenrollment, select Disabled.
  7. If you are enabling certificate autoenrollment, you can select the following check boxes:
    • Renew expired certificates, update pending certificates, and remove revoked certificates
    • Update certificates that use certificate templates
    • Expiration notification
  8. Click OK to accept your changes.

To verify that password challenge is disabled:
  1. Click Start and enter regedit in the search bar.
  2. Navigate to Computer > HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > Cryptography > MSCEP > EnforcePassword.
  3. Ensure that the EnforcePassword value is set to 0 (the default value is 1).

  1. Configure Certificate Template

SCEP is widely used in IPSec VPN environments. As a result, installation of the NDES role automatically configures the server to utilize the IPSec (Offline Request) template for SCEP. Because of this, one of the first steps in the preparation of a Microsoft CA is to build a new template with the correct application policy.

Complete these steps in order to configure the Certificate Template:
  1. Log on to the CA server as admin.
  2. Click Start > Administrative Tools > Certification Authority.
  3. Expand the CA server details and select the Certificate Templates folder. This folder contains a list of the templates that are currently enabled.
  4. In order to manage the certificate templates, right-click on the Certificate Templates folder and choose Manage.
  5. In the Certificate Templates Console, a number of inactive templates are displayed.
  6. In order to configure a new template for use with SCEP, right-click on a template that already exists, such as User, and choose Duplicate Template.
  7. Choose Windows 2003 or Windows 2008, dependent upon the minimum CA OS in the environment.
  8. On the General tab, add a display name, such as ASA-BYOD, and validity period; leave all other options unchecked.

    Note: The template validity period must be less than or equal to the validity period of the CA root and intermediate certificates.

  1. Click on the Subject Name tab, and confirm that Supply in the request is selected.
  2. Click on the Issuance Requirements tab. Cisco recommends that you leave the Issuance policies blank in a typical hierarchical CA environment.
  3. Click on the Extensions tab, Application Policies, and then Edit.
  4. Click Add, and ensure that Client Authentication is added as an application policy. Click OK.
  5. Click on the Security tab, and then Add.... Ensure that the SCEP service account defined in the NDES service installation has full control of the template, and then click OK.
  6. Return to the Certification Authority GUI interface.
  7. Right-click on the Certificate Templates directory. Navigate to New > Certificate Template to Issue.
  8. Select the ASA-BYOD template configured previously, and click OK.

  1. Certificate Template Registry Configuration

Complete these steps in order to configure the Certificate Template Registry keys:
  • Connect to the NDES server.
  • Click Start and enter regedit in the search bar.
  • Navigate to Computer > HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > Cryptography > MSCEP.
  • Change the EncryptionTemplate, GeneralPurposeTemplate, and SignatureTemplate keys from IPSec (Offline Request) to the ASA-BYOD template previously created.
  • Reboot the NDES server in order to apply the registry setting.



Verifying and Troubleshooting MS CA


ASA Configuration

SCEP Proxy

  • Enroll CA certificate in ASA. This will be used to authenticate client certificates when received.

crypto ca trustpoint DXBWCA01-V
 revocation-check ocsp
 enrollment terminal
 crl configure

  • Launch the Profile Editor from ASDM, or use the stand-alone VPN Profile Editor
  • In the ASDM, Click Add (or Edit) to create (or edit) an AnyConnect Profile. On the stand-alone editor, open an existing profile or continue to create a new one.
  • Click Certificate Enrollment in the AnyConnect Client Profile tree on the left.
  • In the Certificate Enrollment pane, check Certificate Enrollment.
  • Configure the Certificate Contents to be requested in the enrollment certificate.


  • Create a group policy, for example, cert_group. Set the following fields:
  1. On General, enter the URL to the CA in SCEP Forwarding URL.
  2. On the Advanced > AnyConnect Client pane, uncheck Inherit for Client Profiles to Download and specify the client profile configured for SCEP Proxy. For example, specify the ac_vpn_scep_proxy client profile.
  • Create a connection profile for certificate enrollment and certificate authorized connection, for example, cert_tunnel.
  1. Authentication: Both (AAA and Certificate)
  2. Default Group Policy: cert_group
  3. On Advanced > General, check Enable SCEP Enrollment for this Connction Profile.
  4. On Advanced > GroupAlias/Group URL, create a Group URL containing the group (cert_group) for this connection profile.
  • Create a new tunnel group that uses certificate-only authentication and create certificate maps that matches client certificates and points to this tunnel group. In this case, you will use one group for SCEP proxy and another group for certificate authentication.

Legacy SCEP

  • Launch the Profile Editor from ASDM, or use the stand-alone VPN Profile Editor
  • In the ASDM, Click Add (or Edit) to create (or edit) an AnyConnect Profile. On the stand-alone editor, open an existing profile or continue to create a new one.
  • Click Certificate Enrollment in the AnyConnect Client Profile tree on the left.
  • In the Certificate Enrollment pane, check Certificate Enrollment.
  • Specify an Automatic SCEP Host to direct the client to retrieve the certificate.
  • Enter the FQDN or IP address, and the alias of the connection profile (tunnel group) that is configured for SCEP certificate retrieval. For example, if asa.cisco.com is the host name of the ASA and scep_eng is the alias of the connection profile, enter asa.cisco.com/scep-eng.  When the user initiates the connection, the address chosen or specified must match this value exactly for Legacy SCEP enrollment to succeed. For example, if this field is set to an FQDN, but the user specifies an IP address, SCEP enrollment will fail.
  • Configure the Certificate Authority attributes:
Note Your CA server administrator can provide the CA URL and thumbprint. Retrieve the thumbprint directly from the server, not from a "fingerprint" or "thumbprint" attribute field in an issued certificate.
  1. Specify a CA URL to identify the SCEP CA server. Enter an FQDN or IP Address. For example: http://ca01.cisco.com/certsrv/mscep/mscep.dll.
  2. (Optional) Check Prompt For Challenge PW to prompt the user for their username and one-time password.
  3. (Optional) Enter a Thumbprint for the CA certificate. Use SHA1 or MD5 hashes. For example: 8475B661202E3414D4BB223A464E6AAB8CA123AB.
  • Configure the Certificate Contents to be requested in the enrollment certificate.
  • (Optional) Check Display Get Certificate Button to permit users to manually request provisioning or renewal of authentication certificates. The button is visible to users if the certificate authentication fails.
  • (Optional) Enable SCEP for a specific host in the server list. Doing this overrides the SCEP settings in the Certificate Enrollment pane described above.
  1. Click Server List in the AnyConnect Client Profile tree on the left to go to the Server List pane.
  1. Add or Edit a server list entry.
  1. Specify the Automatic SCEP Host and Certificate Authority attributes as described in Steps 5 and 6 above.
  • Create a group policy for enrollment, for example, cert_enroll_group. Set the following fields:
  1. On the Advanced > AnyConnect Client pane, uncheck Inherit for Client Profiles to Download and specify the client profile configured for Legacy SCEP. For example, specify the ac_vpn_legacy_scep client profile.
  • Create a second group policy for authorization, for example, cert_auth_group.
  • Create a connection profile for enrollment, for example, cert_enroll_tunnel. Set the following fields:
  1. On the Basic pane, set the Authentication Method to AAA.
  2. On the Basic pane, set the Default Group Policy to cert_enroll_group.
  3. On Advanced > GroupAlias/Group URL, create a Group URL containing the enrollment group (cert_enroll_group) for this connection profile.
  4. Do not enable the connection profile on the ASA. It is not necessary to expose the group to users in order for them to have access to it.
  • Create a connection profile for authorization, for example, cert_auth_tunnel. Set the following fields.
  1. On the Basic pane, set the Authentication Method to Certificate.
  2. On the Basic pane, set the Default Group Policy to cert_auth_group.
  3. Do not enable this connection profile on the ASA. It is not necessary to expose the group to users in order for them to access it.
  • (Optional) On the General pane of each group policy, set Connection Profile (Tunnel Group) Lock to the corresponding SCEP connection profile, which restricts traffic to the SCEP-configured connection profile.

Certificate Template Overview

Administrators of a Microsoft CA can configure one or more templates that are used in order to apply application policies to a common set of certificates. These policies help to identify for which function the certificate and associated keys are used. The application policy values are contained in the Extended Key Usage (EKU) field of the certificate. The authenticator parses the values in the EKU field in order to ensure that the certificate presented by the client can be used for the intended function. Some of the more common uses include server authentication, client authentication, IPSec VPN, and email. In terms of ASA, the more commonly used EKU values include server and/or client authentication & IPSec VPN.

When you browse to a secure bank website, for example, the web server that processes the request is configured with a certificate that has an application policy of server authentication. When the server receives an HTTPS request, it sends a server authentication certificate to the connecting web browser for authentication. The important point here is that this is a unidirectional exchange from the server to the client.

2 comments:

  1. Hello. We currently use Cisco CA that is accessible from the internet so that we can get certificates as DMVPN devices are deployed at remote sites. We don't want to load the certificates onto the devices until they are at site as these devices are shipped to remote locations and then configured remotely with the help of a local tech. We want to move away from using a Cisco CA to a Microsoft CA, however it would need to be exposed to the internet. I don't know if our existing setup or this new setup is a good security practice, so I was wondering if you could assist. Is there any way for us to use Windows CA and have it accessible from the internet without opening a major security hole? We plan on using a standalone CA + NDES

    ReplyDelete
  2. Hi,

    Exposing CA server to internet is a high security risk whatever protection you have in place. This is due to the impact of getting it compromised.

    Why don't you think about having IPSec RA VPN or AnyConnect VPN in order to access this server. If it is mandatory to expose this server to internet you need to have reverse proxy solution or you can use clientless SSL VPN on ASA to publish this server.

    ReplyDelete