Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
812
Views
5
Helpful
1
Replies

Can ISE do client certficate authentication for anyconnect VPN?

khansa001
Level 1
Level 1

‎02-16-2017 09:22 AM - edited ‎03-11-2019 12:28 AM

We are planning to use ISE for client certificate authentication.

When the client connects to the Any connect VPN the client certs are checked with the PKI infrastructure.

After the client has valid cert the client will use RSA token to authenticate.

Labels:
0 Helpful
1 Reply 1

Rahul Govindan
VIP Alumni
VIP Alumni

‎02-16-2017 01:05 PM

You cannot authenticate the VPN client certificate with ISE. The authentication and validation is done on the ASA itself. You can of course issue certs to the VPN users using ISE and have the CRL checked against the ISE local CA, but the verification of the SSL cert is done only on the ASA for Anyconnect VPN. You can combine Certificate and RSA authentication on the ISE. If you set the ASA to send Radius request to ISE, which then forwards it to ASA, you can get authorization attributes from ISE if that's what you are looking for.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents