I have a Cisco ASA5508X, running FTD 18.104.22.168, controlled by a vFMC running FMC 22.214.171.124. Infrastructure include a Windows Server 2008R2 running as a DC.
I have managed to set up some site to site VPNs to Cisco ASA5506's as well as remote access client VPNs, authenticating via RADIUS to the Windows server, using the user's domain credentials. This all works fine.
I am now attempting to set up client VPNs that use certificate based authentication. This will be for some Windows Tablets, running Windows pro 7 and 8. Idea is to use machine certificates, and have the tablets establish a VPN at powerup or login, with no user involvement.
I have configured a Windows Certificate Authority, and Machines are enrolling and grabbing a machine certificate just fine. The bit I am stuck with is somehow getting the CA certificate form the Windows CA installed on the FTD. Can anyone point me in the right direction?
Plan is to have TWO groups:
1. VPN for users who want to connect in manually from a variety of home PCs, laptops or whatever, and authenticate with their Active Directory credentials.
2. VPN for Windows 10 tablets, used by tradesmen in the field. These machines need to automatically connect to via inbuilt GSM cards, then establish a VPN connection into the LAN. Preferably at boot, with no user intervention.
The first VPN is working, it authenticates via RADIUS to the local DC. It is the second one that I am having trouble with.
For no2 I believe the issue lays on the NPS server config.
Did you enable NPS accounting and then read the log file. Here's an overview in the attachments.
What I would do:
read the log file
attempt a VPN certificate connect
re read the file and lookup for connection Connection Request Policy and Network policy being used.