Solved: Re: VPN certificate auth using ISE? - Page 2

dazza_johnson · ‎05-09-2017

Hey guys, I'm sure I read about this but my Google-fu is letting me down....

Basically, trying to authenticate VPN users using machine certificates (Cisco ASA VPN termination point) using ISE. That way we limit VPN access to machines on the domain. The idea is similar to machine authentication using EAP-TLS, but over VPN.

I know you can't do EAP-TLS over VPN, but how is this achieved with ISE?

Thanks

Darren

Peter Koltl · ‎06-05-2023

It is a complex task.

Cisco Secure Client will not use Machine certificate unless you create a client profile allowing machine certificates and place that XML on the client before connecting to ASA.

You need certificate+AAA combined authentication:

In RSA-RADIUS AAA group you should define RSA server which checks both AD-username/AD-password and the token code.

If you need Cisco ISE control (like AD group check), add ISE as an authorization server to the Connection Profile (it must be defined as Authorize-only so that ISE does not check password):

I hope that helps.

metafore · ‎06-13-2023

Thanks @Peter Koltl . I applied AAA+Certificate auth along with secondary authentication method selected to RSA server which basically only checks for token code along with no secondary username configured. ISE as primary AAA username and password integrated with AD, with authorization profile matching to radius class attributes 25 (ASA group policy name).I installed public certificate with cn defined as fqdn of VPN name user access to ( bind to public interface IP of ASA). I had to enable auto cert and no user controllable in preference part 2 of xml client profile to avoid certificate pop up when user tries to connect to profile and push it ahead of a time on user machine to make it work. Thanks anyways its all sorted out....Thanks again for the help.

Peter Koltl · ‎06-14-2023

Thanks @metafore for the feedback, best possible news!