cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
335
Views
1
Helpful
2
Replies

Cert-based RA VPN for managed Android device

rbrd
Community Member

"ISE-terminated EAP-TLS (as StrongSwan) vs ASA-validated cert + ISE authZ-only"

Hi all,

After some reading and lab testing, I've narrowed a design to 2 options and I'd value real-world feedback before committing.

For managed Android phones, device certificates issued by an internal CA, IKEv2/IPSEC remote-access VPN on ASA, ISE available.
=> certificate-based authC for the phones, ideally with ISE validationg the client cert.

Option 1- EAP-TLS terminated by ISE.
ASA in EAP query-identity", ISE terminates EAP-TLS and validates certs device. From waht I found, neither Secure Client nor the Android native IKEv2 client performs EAP-TLS to the AAA server for VPN, so this seems to require StrongSwan on the phones.

Option 2 - Certs validated by ASA (Trustpoint) + ISE authZ-only (device name from certs)
Keeps Secure Client, but ISE only authZ, it doesn't validate the certs.

Where I'd like some REX :
=> Can anyone confirm whether Secure Client on Android can (or cannot) do EAP-TLS terminated at ISE for Remote-Acces VPN
=> StrongSwan via EMM-Nanager config : How reliable has it been at scale ?

Thanks in advance for any feedback.

1 Accepted Solution

Accepted Solutions

@rbrd when performing certificate authentication on an ASA/FTD remote access VPN, certificate authentication is between the client and the ASA headend device itself, not a AAA server (ISE), regardless of client OS. You can only use ISE for authorisation.

It's not using EAP-TLS "AnyConnect does not support standardized EAP methods which are terminated on the AAA server (PEAP, Transport Layer Security)". https://www.cisco.com/c/en/us/support/docs/security-vpn/webvpn-ssl-vpn/119208-config-asa-00.html

I've no experience on StrongSwan, probably best asking that question on a StrongSwan forum.

 

View solution in original post

2 Replies 2

@rbrd when performing certificate authentication on an ASA/FTD remote access VPN, certificate authentication is between the client and the ASA headend device itself, not a AAA server (ISE), regardless of client OS. You can only use ISE for authorisation.

It's not using EAP-TLS "AnyConnect does not support standardized EAP methods which are terminated on the AAA server (PEAP, Transport Layer Security)". https://www.cisco.com/c/en/us/support/docs/security-vpn/webvpn-ssl-vpn/119208-config-asa-00.html

I've no experience on StrongSwan, probably best asking that question on a StrongSwan forum.

 

rbrd
Community Member

Thanks Rob,

That confirms my understanding with ASA/FTD RA-VPN certificate method, certs validation is handled between the client and the headend, with ISE used for authZ only.


Thanks again for the refs and clarification.