Solved: VPN ASA certificate + DUO authentication using ISE?

Djuxt · ‎12-28-2022

Hey guys,

I'm trying to find a way to authenticate users coming from Cisco ASA with certificate and DUO from ISE.

The idea is to follow the steps bellow :

Users connects to ASA VPN with AnyConnect Client.
Device certificate is send to ASA and ASA forward it to ISE.
Once certificate is authenticate by ISE a request is send from ISE to DUO proxy to authenticate the users with Duo push.
Then User valid is Push and He is authenticated to the VPN.

Is it possible to implement this ?

Also is it possible to do only one Radius request by using EAP-TEAP for the step 2 and 3.

I found this community subject :

Solved: VPN certificate auth using ISE? - Cisco Community

But it has been posted 5 years ago so is it outdated ?

Thank for your help !

Rob Ingram · ‎12-28-2022

@Djuxt certificate authentication is between the anyconnect client and the ASA, not ISE.

You could send the Duo authentication via ISE which proxies the request to the Duo authentication proxy, once authenticated via Duo ISE can then authorise the user.

TEAP is used for 802.1X authentication (wired/wireless) not VPN.

View solution in original post

Rob Ingram · ‎12-28-2022

@Djuxt certificate authentication is between the anyconnect client and the ASA, not ISE.

You could send the Duo authentication via ISE which proxies the request to the Duo authentication proxy, once authenticated via Duo ISE can then authorise the user.

TEAP is used for 802.1X authentication (wired/wireless) not VPN.