https://community.cisco.com/t5/network-access-control/ise-posture-for-vpn-doing-certificate-authentication/m-p/3511165#M511037 <HTML><HEAD></HEAD><BODY><P style="font-size: 13.3333px;">Hello Team,</P><P style="font-size: 13.3333px;"></P><P style="font-size: 13.3333px;">I know this has been asked before and I know there are ways around it but my scenario is a bit more specific so need to see if there are any options from ISE side. Please read on.</P><P style="font-size: 13.3333px;">Currently doing VPN cert authentication and authorization with ASA and LDAP. Using IKEv2.</P><P style="font-size: 13.3333px;">Need to implement ISE Posture.</P><P style="font-size: 13.3333px;"></P><P style="font-size: 13.3333px;">Several restrictions such as FIPS on ISE so PAP/ASCII, MSCHAPv2 and EAP-MD5 are disabled. Also no dual factor here due to nature of security, certificate only (not that I think using a different method would help).</P><P style="font-size: 13.3333px;"></P><P style="font-size: 13.3333px;">This guide show exactly what is needed, but it seems to be Window Native only:</P><P style="font-size: 13.3333px;"><A href="https://www.cisco.com/c/en/us/support/docs/security-vpn/webvpn-ssl-vpn/119208-config-asa-00.html?referring_site=RE&amp;pos=2&amp;page=http://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/113692-technote-anyconnect-00.html" title="https://www.cisco.com/c/en/us/support/docs/security-vpn/webvpn-ssl-vpn/119208-config-asa-00.html?referring_site=RE&amp;pos=2&amp;page=http://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/113692-technote-anyconnect-00.html">Configure ASA IKEv2 Remote Access with EAP-PEAP and Native Windows Client - Cisco</A></P><P style="font-size: 13.3333px;"></P><P style="font-size: 13.3333px;">Any options you can think of are appreciated, we need to use an EAP method for VPN authentication because of all the protocols ISE has disabled. Apparently AnyConnect only does some proprietary protocol called AnyConnect-EAP which ISE doesn't support, is that correct? Routers seem to have a possibility also, but then again we are dealing with an ASA.</P><P style="font-size: 13.3333px;"></P><P style="font-size: 13.3333px;">Thanks, </P><P style="font-size: 13.3333px;">Eric.</P></BODY></HTML> Wed, 04 Apr 2018 20:44:41 GMT Eric Pineda 2018-04-04T20:44:41Z https://community.cisco.com/t5/network-access-control/ise-posture-for-vpn-doing-certificate-authentication/m-p/3511165#M511037 <HTML><HEAD></HEAD><BODY><P style="font-size: 13.3333px;">Hello Team,</P><P style="font-size: 13.3333px;"></P><P style="font-size: 13.3333px;">I know this has been asked before and I know there are ways around it but my scenario is a bit more specific so need to see if there are any options from ISE side. Please read on.</P><P style="font-size: 13.3333px;">Currently doing VPN cert authentication and authorization with ASA and LDAP. Using IKEv2.</P><P style="font-size: 13.3333px;">Need to implement ISE Posture.</P><P style="font-size: 13.3333px;"></P><P style="font-size: 13.3333px;">Several restrictions such as FIPS on ISE so PAP/ASCII, MSCHAPv2 and EAP-MD5 are disabled. Also no dual factor here due to nature of security, certificate only (not that I think using a different method would help).</P><P style="font-size: 13.3333px;"></P><P style="font-size: 13.3333px;">This guide show exactly what is needed, but it seems to be Window Native only:</P><P style="font-size: 13.3333px;"><A href="https://www.cisco.com/c/en/us/support/docs/security-vpn/webvpn-ssl-vpn/119208-config-asa-00.html?referring_site=RE&amp;pos=2&amp;page=http://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/113692-technote-anyconnect-00.html" title="https://www.cisco.com/c/en/us/support/docs/security-vpn/webvpn-ssl-vpn/119208-config-asa-00.html?referring_site=RE&amp;pos=2&amp;page=http://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/113692-technote-anyconnect-00.html">Configure ASA IKEv2 Remote Access with EAP-PEAP and Native Windows Client - Cisco</A></P><P style="font-size: 13.3333px;"></P><P style="font-size: 13.3333px;">Any options you can think of are appreciated, we need to use an EAP method for VPN authentication because of all the protocols ISE has disabled. Apparently AnyConnect only does some proprietary protocol called AnyConnect-EAP which ISE doesn't support, is that correct? Routers seem to have a possibility also, but then again we are dealing with an ASA.</P><P style="font-size: 13.3333px;"></P><P style="font-size: 13.3333px;">Thanks, </P><P style="font-size: 13.3333px;">Eric.</P></BODY></HTML> Wed, 04 Apr 2018 20:44:41 GMT https://community.cisco.com/t5/network-access-control/ise-posture-for-vpn-doing-certificate-authentication/m-p/3511165#M511037 Eric Pineda 2018-04-04T20:44:41Z https://community.cisco.com/t5/network-access-control/ise-posture-for-vpn-doing-certificate-authentication/m-p/3511166#M511038 <HTML><HEAD></HEAD><BODY><P>With cert-based auth from VPN client to ASA, the ISE component is authorization only as authentication is terminated at ASA.</P></BODY></HTML> Wed, 04 Apr 2018 22:05:19 GMT https://community.cisco.com/t5/network-access-control/ise-posture-for-vpn-doing-certificate-authentication/m-p/3511166#M511038 Craig Hyps 2018-04-04T22:05:19Z https://community.cisco.com/t5/network-access-control/ise-posture-for-vpn-doing-certificate-authentication/m-p/3511167#M511039 <HTML><HEAD></HEAD><BODY><P>Thanks Craig,</P><P></P><P>Correct, it would be authorization, however it would still deal with the PAP/ASCII or MSCHAPv2 from ASA to ISE?</P></BODY></HTML> Thu, 05 Apr 2018 00:07:49 GMT https://community.cisco.com/t5/network-access-control/ise-posture-for-vpn-doing-certificate-authentication/m-p/3511167#M511039 Eric Pineda 2018-04-05T00:07:49Z https://community.cisco.com/t5/network-access-control/ise-posture-for-vpn-doing-certificate-authentication/m-p/3511168#M511040 <HTML><HEAD></HEAD><BODY><P>Authorization is independent of Authentication and communicated via RADIUS.&nbsp; It is not reliant on the authentication protocol.&nbsp; Normally authorization is sent as part of a singe response, but could be a separate request.</P><P></P><P>That said, to trigger an Authorization request to ISE for VPN client at this stage, it needs to send an auth request from ASA to ISE using unencrypted auth protocols.&nbsp; You can configure IPsec between ASA and ISE, which may be deemed as an acceptable compensating control, but defer to your compliance team.</P></BODY></HTML> Thu, 05 Apr 2018 00:44:55 GMT https://community.cisco.com/t5/network-access-control/ise-posture-for-vpn-doing-certificate-authentication/m-p/3511168#M511040 Craig Hyps 2018-04-05T00:44:55Z