Cisco ASA SCEP Proxy Enrollment - Part 1

This post is following on a previous post I did last year What is SSL Cryptography?

To have a fully automated Cisco Jabber VoIP solution, the client host (windows/mac/iPhone/Samsung) should automatically sense when the client isn't on LAN and launch AnyConnect VPN Client to connect back to VPN server. 

This will make sure that Jabber Client is always connected to CUCM server anyware. 

To achieve this, you need to make sure your AnyConnect VPN is configured for certificate based authentication (this is Cisco Jabber Client prerequisite).

Also, the client certificate which is used for authentication should be enrolled in the client host seamlessly.

In this post and the next one we are going to talk about certificate enrollment types.

Manual Enrollment

In this method, the user has to manually browse the CA server and request the certificate. For example, in MS CA, the user has to browse http://#server-ip#/certsrv. Another way of doing it by having the user to navigate to his certificate store and request a certificate from enrollment policy server (in this scenario both client and CA server has to be in same domain).

This method adds extra burden on end user which we usually prefer to avoid.

SCEP Enrollment

SCEP Proxy

1. The user connects to the ASA headend using a connection profile configured for both certificate and AAA authentication. The ASA requests a certificate and AAA credentials for authentication from the client.
2. The user enters their AAA credentials but a valid certificate is not available. This situation triggers the client to send an automatic SCEP enrollment request after the tunnel has been established using the entered AAA credentials.
3. The ASA forwards the enrollment request to the CA and returns the CA's response to the client.
4. If SCEP enrollment is successful, the client presents a (configurable) message to the user and disconnects the current session. The user can now connect using certificate authentication to an ASA tunnel group.
5. If SCEP enrollment fails, the client displays a (configurable) message to the user and disconnects the current session. The user should contact their administrator.
6. The client automatically renews the certificate before it expires, without user intervention, if the Certificate Expiration Threshold field is set in the VPN profile.

Legacy SCEP

1. The user initiates a connection to the ASA headend using a tunnel group configured for certificate authentication. The ASA requests a certificate for authentication from the client.
2. A valid certificate is not available on the client, the connection can not be established. This certificate failure indicates that SCEP enrollment needs to occur.
3. The user must then initiate a connection to the ASA headend using a tunnel group configured for AAA authentication only whose address matches the Automatic SCEP Host configured in the client profile. The ASA requests the AAA credentials from the client.
4. The client presents a dialog box for the user to enter their AAA credentials.

If the client is configured for manual enrollment and the client knows it needs to initiate SCEP enrollment, a Get Certificate button will display on the credentials dialog box (configurable option in the VPN profile). If the client has direct access to the CA on their network, the user will be able to manually obtain a certificate by clicking this button at this time.

Note If access to the CA relies on the VPN tunnel being established, manual enrollment can not be done at this time since there is currently no VPN tunnel established (AAA credentials have not been entered).

5. The user enters their AAA credentials and establishes a VPN connection.
6. The client knows it needs to initiate SCEP enrollment, it initiates an enrollment request to the CA through the established VPN tunnel, and a response is received from the CA.
7. If SCEP enrollment is successful, the client presents a (configurable) message to the user and disconnects the current session. The user can now connect using certificate authentication to an ASA tunnel group.
8. If SCEP enrollment fails, the client displays a (configurable) message to the user and disconnects the current session. The user should contact their administrator.
9. If the client is configured for manual enrollment and the Certificate Expiration Threshold value is met, a Get Certificate button will display on a presented tunnel group selection dialog box. The user will be able to manually renew their certificate by clicking this button.
10. If the certificate expires and the client no longer has a valid certificate, the client repeats the Legacy SCEP enrollment process.

SCEP Enrollment Restrictions

SCEP Proxy

• The ASA acts as a proxy for SCEP requests and responses between the client and the CA.
• The CA must be accessible to the ASA, not the AnyConnect client, since the client does not access the CA directly.
• Enrollment is always initiated automatically by the client. No user involvement is necessary.
• SCEP Proxy is supported in AnyConnect 3.0 and higher.

Legacy SCEP

• The AnyConnect client communicates with the CA directly to enroll and obtain a certificate.
• The CA must be accessible to the AnyConnect client, not the ASA, through an established VPN tunnel or directly on the same network the client is on.
• Enrollment is initiated automatically by the client and may be initiated manually by the user if configured.
• Legacy SCEP is supported in AnyConnect 2.4 and higher.

• When Windows clients first attempt to retrieve a certificate from a certificate authority they may see a warning. When prompted, users must click Yes. This allows them to import the root certificate. It does not affect their ability to connect with the client certificate.
• On the ASA, the aaa.cisco.sceprequired attribute can be used to catch the enrollment connections and apply the appropriate policies in the selected DAP record.