cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1450
Views
1
Helpful
3
Replies

ISE posture for VPN doing certificate authentication

Eric Pineda
Cisco Employee
Cisco Employee

Hello Team,

I know this has been asked before and I know there are ways around it but my scenario is a bit more specific so need to see if there are any options from ISE side. Please read on.

Currently doing VPN cert authentication and authorization with ASA and LDAP. Using IKEv2.

Need to implement ISE Posture.

Several restrictions such as FIPS on ISE so PAP/ASCII, MSCHAPv2 and EAP-MD5 are disabled. Also no dual factor here due to nature of security, certificate only (not that I think using a different method would help).

This guide show exactly what is needed, but it seems to be Window Native only:

Configure ASA IKEv2 Remote Access with EAP-PEAP and Native Windows Client - Cisco

Any options you can think of are appreciated, we need to use an EAP method for VPN authentication because of all the protocols ISE has disabled. Apparently AnyConnect only does some proprietary protocol called AnyConnect-EAP which ISE doesn't support, is that correct? Routers seem to have a possibility also, but then again we are dealing with an ASA.

Thanks,

Eric.

1 Accepted Solution

Accepted Solutions

Craig Hyps
Level 10
Level 10

With cert-based auth from VPN client to ASA, the ISE component is authorization only as authentication is terminated at ASA.

View solution in original post

3 Replies 3

Craig Hyps
Level 10
Level 10

With cert-based auth from VPN client to ASA, the ISE component is authorization only as authentication is terminated at ASA.

Thanks Craig,

Correct, it would be authorization, however it would still deal with the PAP/ASCII or MSCHAPv2 from ASA to ISE?

Authorization is independent of Authentication and communicated via RADIUS.  It is not reliant on the authentication protocol.  Normally authorization is sent as part of a singe response, but could be a separate request.

That said, to trigger an Authorization request to ISE for VPN client at this stage, it needs to send an auth request from ASA to ISE using unencrypted auth protocols.  You can configure IPsec between ASA and ISE, which may be deemed as an acceptable compensating control, but defer to your compliance team.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: