05-05-2017 12:00 PM
Hi,
I have a customer testing Anyconnect VPN authentication with user certificate enrollment done by ISE internal CA via SCEP. The purpose is to grant access to contractors. But after the first certificate enrollment they want to permit access to that device only, denying access to the same user with a different device. Can we adjust ISE to check first if the certificate was already issued to that user and deny a second enrollment?
Thanks.
05-06-2017 04:01 PM
The enrollment is controlled by ASA but not ISE so you might get a better answer and support from ASA product support teams.
ISE has no rules in governing how many times an user may get a certificate. The customer might be better to have the IT team(s) to issue the certificates instead of using auto-enrollment. An alternative is to create a program that calls ISE ERS API for endpoint certificates so that the program may use some database to check for previous enrollments beforehand.
05-09-2017 05:46 AM
Thanks, Hsing-Tsu. I`ll try ASA team instead.
Best regards.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide