Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
747
Views
3
Helpful
2
Replies

ISE internal CA with Anyconnect VPN

gealmeid
Cisco Employee
Cisco Employee

‎05-05-2017 12:00 PM

Hi,

I have a customer testing Anyconnect VPN authentication with user certificate enrollment done by ISE internal CA via SCEP. The purpose is to grant access to contractors. But after the first certificate enrollment they want to permit access to that device only, denying access to the same user with a different device. Can we adjust ISE to check first if the certificate was already issued to that user and deny a second enrollment?

Thanks.

2 Replies 2

hslai
Cisco Employee
Cisco Employee

‎05-06-2017 04:01 PM

The enrollment is controlled by ASA but not ISE so you might get a better answer and support from ASA product support teams.

ISE has no rules in governing how many times an user may get a certificate. The customer might be better to have the IT team(s) to issue the certificates instead of using auto-enrollment. An alternative is to create a program that calls ISE ERS API for endpoint certificates so that the program may use some database to check for previous enrollments beforehand.

gealmeid
Cisco Employee
Cisco Employee
In response to hslai

‎05-09-2017 05:46 AM

Thanks, Hsing-Tsu. I`ll try ASA team instead.

Best regards.

Customers Also Viewed These Support Documents