https://community.cisco.com/t5/network-access-control/vpn-asa-certificate-duo-authentication-using-ise/m-p/4746085#M579000 <P>Hey guys,&nbsp;</P><P>I'm trying to find a way to authenticate users coming from Cisco ASA with certificate and DUO from ISE.</P><P>The idea is to follow the steps bellow :</P><OL><LI>Users connects to ASA VPN with AnyConnect Client.</LI><LI>Device certificate is send to ASA and ASA forward it to ISE.</LI><LI>Once certificate is authenticate by ISE a request is send from ISE to DUO proxy to authenticate the users with Duo push.</LI><LI>Then User valid is Push and He is authenticated to the VPN.</LI></OL><P>Is it possible to implement this ?</P><P>Also is it possible to do only one Radius request by using EAP-TEAP for the step 2 and 3.</P><P>I found this community subject :&nbsp;</P><P><A href="https://community.cisco.com/t5/network-access-control/vpn-certificate-auth-using-ise/td-p/3513185" target="_blank" rel="noopener">Solved: VPN certificate auth using ISE? - Cisco Community</A></P><P>But it has been posted 5 years ago so is it outdated ?</P><P>Thank for your help !</P> Wed, 28 Dec 2022 13:10:37 GMT Djuxt 2022-12-28T13:10:37Z https://community.cisco.com/t5/network-access-control/vpn-asa-certificate-duo-authentication-using-ise/m-p/4746085#M579000 <P>Hey guys,&nbsp;</P><P>I'm trying to find a way to authenticate users coming from Cisco ASA with certificate and DUO from ISE.</P><P>The idea is to follow the steps bellow :</P><OL><LI>Users connects to ASA VPN with AnyConnect Client.</LI><LI>Device certificate is send to ASA and ASA forward it to ISE.</LI><LI>Once certificate is authenticate by ISE a request is send from ISE to DUO proxy to authenticate the users with Duo push.</LI><LI>Then User valid is Push and He is authenticated to the VPN.</LI></OL><P>Is it possible to implement this ?</P><P>Also is it possible to do only one Radius request by using EAP-TEAP for the step 2 and 3.</P><P>I found this community subject :&nbsp;</P><P><A href="https://community.cisco.com/t5/network-access-control/vpn-certificate-auth-using-ise/td-p/3513185" target="_blank" rel="noopener">Solved: VPN certificate auth using ISE? - Cisco Community</A></P><P>But it has been posted 5 years ago so is it outdated ?</P><P>Thank for your help !</P> Wed, 28 Dec 2022 13:10:37 GMT https://community.cisco.com/t5/network-access-control/vpn-asa-certificate-duo-authentication-using-ise/m-p/4746085#M579000 Djuxt 2022-12-28T13:10:37Z https://community.cisco.com/t5/network-access-control/vpn-asa-certificate-duo-authentication-using-ise/m-p/4746091#M579001 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1437983">@Djuxt</a> certificate authentication is between the anyconnect client and the ASA, not ISE.</P> <P>You could send the Duo authentication via ISE which proxies the request to the Duo authentication proxy, once authenticated via Duo ISE can then authorise the user.</P> <P>TEAP is used for 802.1X authentication (wired/wireless) not VPN.</P> Wed, 28 Dec 2022 13:22:36 GMT https://community.cisco.com/t5/network-access-control/vpn-asa-certificate-duo-authentication-using-ise/m-p/4746091#M579001 Rob Ingram 2022-12-28T13:22:36Z