10-26-2016 05:50 AM
Hi -
This question is related to the following document:
How can you incorporate the VPN Phone capability into this ASA + ISE design? Would you just create a separate group policy and group url that would be outside the ASA/ISE group policy for regular users?
Vpn phone - http://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/Aug2013/CVD-VPNPhoneDesignGuide-AUG13.pdf
Thanks,
Shane
10-27-2016 08:55 AM
Hi Shane,
That would probably be the best solution. One other possibility would be to use certificate based authentication with the phone and ASA but I'm not 100% sure if VPN phone supports that authentication method or not.
Regards,
-Tim
10-27-2016 11:53 AM
Yes, the phones already use Cert Authentication to the ASA.
10-30-2016 09:04 AM
Since the phones are using certificate authentication against ASA, there is no much to do with ISE. You could try authorize-only to ISE and see whether AnyConnect provides similar ACIDEX attributes as that for Windows and macOS or any other attributes usable by ISE to provide more granular authorization.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide