06-29-2026 11:37 PM
"ISE-terminated EAP-TLS (as StrongSwan) vs ASA-validated cert + ISE authZ-only"
Hi all,
After some reading and lab testing, I've narrowed a design to 2 options and I'd value real-world feedback before committing.
For managed Android phones, device certificates issued by an internal CA, IKEv2/IPSEC remote-access VPN on ASA, ISE available.
=> certificate-based authC for the phones, ideally with ISE validationg the client cert.
Option 1- EAP-TLS terminated by ISE.
ASA in EAP query-identity", ISE terminates EAP-TLS and validates certs device. From waht I found, neither Secure Client nor the Android native IKEv2 client performs EAP-TLS to the AAA server for VPN, so this seems to require StrongSwan on the phones.
Option 2 - Certs validated by ASA (Trustpoint) + ISE authZ-only (device name from certs)
Keeps Secure Client, but ISE only authZ, it doesn't validate the certs.
Where I'd like some REX :
=> Can anyone confirm whether Secure Client on Android can (or cannot) do EAP-TLS terminated at ISE for Remote-Acces VPN
=> StrongSwan via EMM-Nanager config : How reliable has it been at scale ?
Thanks in advance for any feedback.
Solved! Go to Solution.
06-29-2026 11:48 PM
@rbrd when performing certificate authentication on an ASA/FTD remote access VPN, certificate authentication is between the client and the ASA headend device itself, not a AAA server (ISE), regardless of client OS. You can only use ISE for authorisation.
It's not using EAP-TLS "AnyConnect does not support standardized EAP methods which are terminated on the AAA server (PEAP, Transport Layer Security)". https://www.cisco.com/c/en/us/support/docs/security-vpn/webvpn-ssl-vpn/119208-config-asa-00.html
I've no experience on StrongSwan, probably best asking that question on a StrongSwan forum.
06-29-2026 11:48 PM
@rbrd when performing certificate authentication on an ASA/FTD remote access VPN, certificate authentication is between the client and the ASA headend device itself, not a AAA server (ISE), regardless of client OS. You can only use ISE for authorisation.
It's not using EAP-TLS "AnyConnect does not support standardized EAP methods which are terminated on the AAA server (PEAP, Transport Layer Security)". https://www.cisco.com/c/en/us/support/docs/security-vpn/webvpn-ssl-vpn/119208-config-asa-00.html
I've no experience on StrongSwan, probably best asking that question on a StrongSwan forum.
06-30-2026 12:20 AM
Thanks Rob,
That confirms my understanding with ASA/FTD RA-VPN certificate method, certs validation is handled between the client and the headend, with ISE used for authZ only.
Thanks again for the refs and clarification.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide