05-23-2017 12:56 PM
Is it possible to use ISE for authorization without authentication? My use case centers around using ISE to authorize SSLVPN connections in an SSO configuration, without having to supply credentials for authentication. In this use case we would validate a user certificate on an ASA, and if it's accepted the ASA would pass the username over to ISE for group membership lookup in AD. Based on the group memberships that are returned from AD, ISE would send back authorization permissions to the ASA.
Thanks,
Matt
Solved! Go to Solution.
05-24-2017 12:55 PM
Around 06:00 in this labminutes video How to Configure Cisco SSL VPN AnyConnect Client Certificate and Double Authentication (Part 2) shows the key is to continue with authentication failures.
05-23-2017 01:05 PM
05-23-2017 02:20 PM
Thank you! This was helpful, but do you know if there is a way to pass back a name from the certificate itself, like UPN or CN, and look that up in AD to get group membership(s) to determine which authorization policy to apply?
05-24-2017 12:55 PM
Around 06:00 in this labminutes video How to Configure Cisco SSL VPN AnyConnect Client Certificate and Double Authentication (Part 2) shows the key is to continue with authentication failures.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide