Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
784
Views
2
Helpful
1
Replies

Cisco ASA 5500X with anyConnect v4.4 integration to Cisco ISE v2.1 using machine certs

khalid_mahmood
Level 4
Level 4

‎05-15-2017 08:25 AM

Hi we are trying to integrate Cisco ASA AnyConnect v4.4 to Cisco ISE v2.1 with machine Cert authentication (EAP-TLS) and posture. We have configured the ASA Connection profile to  do the Certificate authentication under Basic on the ASA and under advanced Authorisation & Accounting is set to ISE (RADIUS) server.

Connection profile:

  • Basic Authentication method = Certificate
  • Advanced Authentication = None
  • Advanced Secondary Authentication = None
  • Advanced Authorisation = ISE (Server group)
  • Advanced Accounting  = ISE (Server group)


on Cisco ISE we have a Authentication policy to authenticate against the Active directory. This works and the machine certification happens on the ASA and the user authentication & authorisation on the ISE.

  • AD User Logon      if DEVICE Type=Device Types#VPN     allow protocols MSCHAP and
    •      default     use ActiveDirectory

My question, is this the right way or should we be pointing everything to ISE, so Certificate authentication, authorisation, accounting on connection profile set to RADIUS (ISE) server. I cannot see any ASA to ISE integration guides is anyone could help clarify and provide any links to suitable documentation.

Thanks Khalid

1 Reply 1

hslai
Cisco Employee
Cisco Employee

‎05-19-2017 12:46 AM

See a recent discussion -VPN certificate auth using ISE?

Customers Also Viewed These Support Documents