Re: Machine Cert and Machine Account in AD and Username/password with Any connect

azhar_eaggle1 · ‎01-09-2019

can we Create a Policy with AnyConnect, which will check as below Order.

Valid Machine Cert
Valid Machine Account in AD
Valid Username and Password

Rob Ingram · ‎01-09-2019

Hi,

You should be able to achieve this using EAP Chaining (EAP-FAST). Links here and here

HTH

Sheraz.Salim · ‎01-10-2019

yes as RJI said. however, You need anyconnect module which is a cisco software and it does support EAP-FAST and you can also mix and match your rules. for example if you want your computer to get authenticate via certificate and user with password vis-versa. you also need a anyconnect profile editor in order to write your rules what you need to match.

please do not forget to rate.

Mike.Cifelli · ‎01-10-2019

This is definitely achievable. The Cisco proprietary protocol, EAP-FAST, will allow you to utilize eap-chaining. This will allow you to perform both user and machine authentication. You will need a few other things in place in order to make this solution possible. I assume you have the other items, but if not your environment should include 8021x, PKI, ISE integrated with AD, & a way to deploy the AnyConnect Client along with the NAM module. As stated in other replies you can use the NAM profile editor to configure which eap protocol you want to use, configure machine cert authentication with user username/pass or smartcard auth. For this solution, besides the pki, the heavy lifting (configuration) will be done in the ISE policy sets and on your network devices to enable 8021x. In your ISE authorization policies you will want to use conditions such as 'eapchainingresult', 'wasmachineauthenticated', and your external identity source (AD) to map objects and users to security groups.

For more understanding view the links provided in a previous reply.