05-20-2019 12:49 AM
Hello,
We have a use case where users should be authenticated by username-password/certificates both simultaneously for Windows/Mac. Is this possible?
Thanks,
Rakesh Kumar
Solved! Go to Solution.
05-20-2019 08:03 AM
05-22-2019 09:57 AM
Jason already answered. ASA supports multiple authentications combining with user/machine certificate for remote-access VPN connections while ISE is supporting mostly single authentications, except for EAP chaining and CWA chaining for wired and wireless.
I agreed with Mike.Cifelli that using MFA, such as smart cards (e.g. CAC cards), is the way to go.
05-20-2019 05:09 AM
05-20-2019 05:13 AM
Not talking about EAP-chaining which combines user/machine authentication. Here is the use case:
05-20-2019 06:05 AM
05-20-2019 08:03 AM
05-20-2019 08:55 AM
05-21-2019 01:20 AM
Guys,
First of all, my use case is not related to EAP-chaining. This is similar to what works for anyconnect where ASA validates the user's certificate first, then checks with RADIUS server to validate user's password.
Let me try again to explain the customer's requirement again.
User 'John' has a corporate laptop. For instance, keep laptop authentication out of this. When John tries to connect to network, he should be authenticated by his password as well as certificate provided to him. ISE should be able to validate both types of credentials.
05-22-2019 09:57 AM
Jason already answered. ASA supports multiple authentications combining with user/machine certificate for remote-access VPN connections while ISE is supporting mostly single authentications, except for EAP chaining and CWA chaining for wired and wireless.
I agreed with Mike.Cifelli that using MFA, such as smart cards (e.g. CAC cards), is the way to go.
05-22-2019 09:01 PM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: