https://community.cisco.com/t5/network-access-control/vpn-machine-authentication/m-p/3726967#M554509 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/303946">@fatalXerror</a>: VPN does not use 802.1x. The machine credentials I was referring to was the credentials the machine uses for 802.1x prior to user login (created when machine joins the domain). You can definitely&nbsp;do client certificate authentication using machine certs with the ASA and AnyConnect VPN client.&nbsp;</P> Wed, 17 Oct 2018 12:11:38 GMT Rahul Govindan 2018-10-17T12:11:38Z https://community.cisco.com/t5/network-access-control/vpn-machine-authentication/m-p/3200088#M554505 <P>Hi</P> <P>Current setup:</P> <P>Anyconnect clients establish VPN tunnels to an ASA and are authenticated using an OTP server and AD (primary and secondary configuration under the connection profile). For AD, the ASA sends the authentication request to ISE which is integrated with AD. Clients are associated to different group-policies depending on which AD group they belong to.</P> <P>&nbsp;</P> <P>We would like to add machine authentication to this, is is possible to additionally check that the client machine is also present and active in AD?</P> <P>&nbsp;</P> <P>Kind Regards</P> Fri, 21 Feb 2020 18:36:22 GMT https://community.cisco.com/t5/network-access-control/vpn-machine-authentication/m-p/3200088#M554505 Terry 2020-02-21T18:36:22Z https://community.cisco.com/t5/network-access-control/vpn-machine-authentication/m-p/3201651#M554506 You cannot pass machine credentials through VPN as it does not do 802.1x for VPN access. But instead, you can run posture (ASA or ISE Posture) to check for a registry key on the user machine.<BR />An example using ASA posture (and DAP for enforcement) is given here:<BR /><A href="https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115947-dap-adv-functions-00.html#anc21" target="_blank">https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115947-dap-adv-functions-00.html#anc21</A><BR /><BR />The registry key you can use to check this is "\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Domain"<BR /><BR />You can set up the same check using ISE posture. Example here:<BR /><A href="https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/117693-configure-ASA-00.html" target="_blank">https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/117693-configure-ASA-00.html</A> Thu, 19 Oct 2017 13:48:19 GMT https://community.cisco.com/t5/network-access-control/vpn-machine-authentication/m-p/3201651#M554506 Rahul Govindan 2017-10-19T13:48:19Z https://community.cisco.com/t5/network-access-control/vpn-machine-authentication/m-p/3202203#M554507 <P>Thanks for your reply Rahul.</P> <P>We had already tested the ASA posture / registry key option which worked fine.</P> <P>My customer asked the question, so I just wanted to make sure I wasn't missing an option that could be used.</P> <P>&nbsp;</P> <P>Kind Regards</P> <P>Terry</P> Fri, 20 Oct 2017 08:29:05 GMT https://community.cisco.com/t5/network-access-control/vpn-machine-authentication/m-p/3202203#M554507 Terry 2017-10-20T08:29:05Z https://community.cisco.com/t5/network-access-control/vpn-machine-authentication/m-p/3726770#M554508 <P>Hi&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/193294">@Rahul Govindan</a>, i tried to search over the internet about VPN 802.1x for machine certificate authentication then I saw this post. Can you provide me a link that tells that 802.1x VPN with machine certificate authentication is unsupported? thanks</P> Wed, 17 Oct 2018 05:15:33 GMT https://community.cisco.com/t5/network-access-control/vpn-machine-authentication/m-p/3726770#M554508 fatalXerror 2018-10-17T05:15:33Z https://community.cisco.com/t5/network-access-control/vpn-machine-authentication/m-p/3726967#M554509 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/303946">@fatalXerror</a>: VPN does not use 802.1x. The machine credentials I was referring to was the credentials the machine uses for 802.1x prior to user login (created when machine joins the domain). You can definitely&nbsp;do client certificate authentication using machine certs with the ASA and AnyConnect VPN client.&nbsp;</P> Wed, 17 Oct 2018 12:11:38 GMT https://community.cisco.com/t5/network-access-control/vpn-machine-authentication/m-p/3726967#M554509 Rahul Govindan 2018-10-17T12:11:38Z https://community.cisco.com/t5/network-access-control/vpn-machine-authentication/m-p/4758259#M579323 <P>is there any similar solution for MAC computer?</P> Fri, 20 Jan 2023 02:39:45 GMT https://community.cisco.com/t5/network-access-control/vpn-machine-authentication/m-p/4758259#M579323 karenmar 2023-01-20T02:39:45Z https://community.cisco.com/t5/network-access-control/vpn-machine-authentication/m-p/4758807#M579333 <P>What do you mean?&nbsp; This thread addresses that 802.1X is not used on Remote Access VPN.&nbsp; What are you trying to accomplish?&nbsp; MacOS has no concept of a "Machine Account"</P> Fri, 20 Jan 2023 15:48:22 GMT https://community.cisco.com/t5/network-access-control/vpn-machine-authentication/m-p/4758807#M579333 ahollifield 2023-01-20T15:48:22Z