Solved: Authorization without Authentication

matthen · ‎05-23-2017

Is it possible to use ISE for authorization without authentication? My use case centers around using ISE to authorize SSLVPN connections in an SSO configuration, without having to supply credentials for authentication. In this use case we would validate a user certificate on an ASA, and if it's accepted the ASA would pass the username over to ISE for group membership lookup in AD. Based on the group memberships that are returned from AD, ISE would send back authorization permissions to the ASA.

Thanks,

Matt

hslai · ‎05-24-2017

Around 06:00 in this labminutes video How to Configure Cisco SSL VPN AnyConnect Client Certificate and Double Authentication (Part 2) shows the key is to continue with authentication failures.

View solution in original post

hslai · ‎05-23-2017

See VPN certificate auth using ISE?

matthen · ‎05-23-2017

Thank you! This was helpful, but do you know if there is a way to pass back a name from the certificate itself, like UPN or CN, and look that up in AD to get group membership(s) to determine which authorization policy to apply?

hslai · ‎05-24-2017

Around 06:00 in this labminutes video How to Configure Cisco SSL VPN AnyConnect Client Certificate and Double Authentication (Part 2) shows the key is to continue with authentication failures.

Authorization without Authentication

ASA： aaa authorization exec authentication-server auto-enable 機能

ISE Authentication and Authorization Policy Reference

Re: How To: Troubleshoot ISE Failed Authentications & Authorizations

Authentication, Authorization, Accounting

CatC: support-service がクラッシュし Remote Support Authorization 機能が利用できない