Pre-fill username from certificate

mapretty · ‎01-21-2020

Hi,

Have a scenario where a customer want's to have their users connect to VPN, authenticate to ISE and use MFA, without interaction using machine certs. They want to use ISE as the AAA for VPN, and integrate seamlessly to MFA automatically passing the username cred's from the certificate. ASA has the pre-fill username feature (https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/I-R/cmdref2/p3.html)

can ISE do the same?

Mike.Cifelli · ‎01-21-2020

I know that you can use ISE as your authorization server. Essentially you would CAC auth against your VPN concentrator and perform verification of user cert. In your configuration profile under authentication method you would setup certificate only. You would then enable authorization, ensure that users must exist in the authz database, and ensure that specify certificate fields to be used as username is set to UPN or specific attribute that you wish to map the user with. Then assuming you have ISE setup properly you could map the extracted UPN to an external identity source such as AD and push authz profile accordingly. As for using ISE for authc I have only seen this done with username/pass extraction. IMO the downside is that when extracting something like the UPN, AD wants the user password associated with the UPN & not the actual cert pin. If you enforce CAC only in the environment then that would be a show stopper. HTH!