https://community.cisco.com/t5/network-access-control/authorization-without-authentication/m-p/3486477#M535797 <HTML><HEAD></HEAD><BODY><P>Around 06:00 in this labminutes video <A href="http://www.labminutes.com/sec0127_ssl_vpn_anyconnect_client_certificate_double_authentication_2" style="font-size: 10pt;">How to Configure Cisco SSL VPN AnyConnect Client Certificate and Double Authentication (Part 2)</A><SPAN style="font-size: 10pt;"> </SPAN><SPAN style="font-size: 10pt;">shows the key is to continue with authentication failures.</SPAN></P></BODY></HTML> Wed, 24 May 2017 19:55:31 GMT hslai 2017-05-24T19:55:31Z https://community.cisco.com/t5/network-access-control/authorization-without-authentication/m-p/3486474#M535789 <HTML><HEAD></HEAD><BODY><P>Is it possible to use ISE for authorization without authentication?&nbsp; My use case centers around using ISE to authorize SSLVPN connections in an SSO configuration, without having to supply credentials for authentication.&nbsp; In this use case we would validate a user certificate on an ASA, and if it's accepted the ASA would pass the username over to ISE for group membership lookup in AD.&nbsp; Based on the group memberships that are returned from AD, ISE would send back authorization permissions to the ASA.</P><P></P><P></P><P>Thanks,</P><P></P><P>Matt</P></BODY></HTML> Tue, 23 May 2017 19:56:13 GMT https://community.cisco.com/t5/network-access-control/authorization-without-authentication/m-p/3486474#M535789 matthen 2017-05-23T19:56:13Z https://community.cisco.com/t5/network-access-control/authorization-without-authentication/m-p/3486475#M535791 <HTML><HEAD></HEAD><BODY><P>See <A _jive_internal="true" href="https://community.cisco.com/thread/80616">VPN certificate auth using ISE?</A></P></BODY></HTML> Tue, 23 May 2017 20:05:52 GMT https://community.cisco.com/t5/network-access-control/authorization-without-authentication/m-p/3486475#M535791 hslai 2017-05-23T20:05:52Z https://community.cisco.com/t5/network-access-control/authorization-without-authentication/m-p/3486476#M535795 <HTML><HEAD></HEAD><BODY><P>Thank you!&nbsp; This was helpful, but do you know if there is a way to pass back a name from the certificate itself, like UPN or CN, and look that up in AD to get group membership(s) to determine which authorization policy to apply?</P></BODY></HTML> Tue, 23 May 2017 21:20:59 GMT https://community.cisco.com/t5/network-access-control/authorization-without-authentication/m-p/3486476#M535795 matthen 2017-05-23T21:20:59Z https://community.cisco.com/t5/network-access-control/authorization-without-authentication/m-p/3486477#M535797 <HTML><HEAD></HEAD><BODY><P>Around 06:00 in this labminutes video <A href="http://www.labminutes.com/sec0127_ssl_vpn_anyconnect_client_certificate_double_authentication_2" style="font-size: 10pt;">How to Configure Cisco SSL VPN AnyConnect Client Certificate and Double Authentication (Part 2)</A><SPAN style="font-size: 10pt;"> </SPAN><SPAN style="font-size: 10pt;">shows the key is to continue with authentication failures.</SPAN></P></BODY></HTML> Wed, 24 May 2017 19:55:31 GMT https://community.cisco.com/t5/network-access-control/authorization-without-authentication/m-p/3486477#M535797 hslai 2017-05-24T19:55:31Z