Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
553
Views
0
Helpful
3
Replies

Machine Cert and Machine Account in AD and Username/password with Any connect

azhar_eaggle1
Level 1
Level 1

‎01-09-2019 03:05 PM

can we Create a Policy with AnyConnect, which will check as below Order.

  1. Valid Machine Cert
  2. Valid Machine Account in AD
  3. Valid Username and Password

 

0 Helpful
3 Replies 3

Rob Ingram
VIP
VIP

‎01-09-2019 03:10 PM

Hi,

You should be able to achieve this using EAP Chaining (EAP-FAST). Links here and here

 

HTH

0 Helpful

Sheraz.Salim
VIP
VIP
In response to Rob Ingram

‎01-10-2019 01:23 AM

yes as RJI said. however, You need anyconnect module which is a cisco software and it does support EAP-FAST and you can also mix and match your rules. for example if you want your computer to get authenticate via certificate and user with password vis-versa.  you also need a anyconnect profile editor in order to write your rules what you need to match.

please do not forget to rate.
0 Helpful

Mike.Cifelli
VIP Alumni
VIP Alumni

‎01-10-2019 06:33 PM

This is definitely achievable.  The Cisco proprietary protocol, EAP-FAST, will allow you to utilize eap-chaining.  This will allow you to perform both user and machine authentication.  You will need a few other things in place in order to make this solution possible.  I assume you have the other items, but if not your environment should include 8021x, PKI, ISE integrated with AD, & a way to deploy the AnyConnect Client along with the NAM module.  As stated in other replies you can use the NAM profile editor to configure which eap protocol you want to use, configure machine cert authentication with user username/pass or smartcard auth.  For this solution, besides the pki, the heavy lifting (configuration) will be done in the ISE policy sets and on your network devices to enable 8021x.  In your ISE authorization policies you will want to use conditions such as 'eapchainingresult', 'wasmachineauthenticated', and your external identity source (AD) to map objects and users to security groups.  

For more understanding view the links provided in a previous reply.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents