05-20-2019 12:49 AM
Hello,
We have a use case where users should be authenticated by username-password/certificates both simultaneously for Windows/Mac. Is this possible?
Thanks,
Rakesh Kumar
Solved! Go to Solution.
05-20-2019 08:03 AM
05-22-2019 09:57 AM
Jason already answered. ASA supports multiple authentications combining with user/machine certificate for remote-access VPN connections while ISE is supporting mostly single authentications, except for EAP chaining and CWA chaining for wired and wireless.
I agreed with Mike.Cifelli that using MFA, such as smart cards (e.g. CAC cards), is the way to go.
05-20-2019 05:09 AM
05-20-2019 05:13 AM
Not talking about EAP-chaining which combines user/machine authentication. Here is the use case:
05-20-2019 06:05 AM
05-20-2019 08:03 AM
05-20-2019 08:55 AM
05-21-2019 01:20 AM
Guys,
First of all, my use case is not related to EAP-chaining. This is similar to what works for anyconnect where ASA validates the user's certificate first, then checks with RADIUS server to validate user's password.
Let me try again to explain the customer's requirement again.
User 'John' has a corporate laptop. For instance, keep laptop authentication out of this. When John tries to connect to network, he should be authenticated by his password as well as certificate provided to him. ISE should be able to validate both types of credentials.
05-22-2019 09:57 AM
Jason already answered. ASA supports multiple authentications combining with user/machine certificate for remote-access VPN connections while ISE is supporting mostly single authentications, except for EAP chaining and CWA chaining for wired and wireless.
I agreed with Mike.Cifelli that using MFA, such as smart cards (e.g. CAC cards), is the way to go.
05-22-2019 09:01 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide