cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
24953
Views
80
Helpful
17
Replies

VPN certificate auth using ISE?

dazza_johnson
Level 5
Level 5

Hey guys, I'm sure I read about this but my Google-fu is letting me down....

Basically, trying to authenticate VPN users using machine certificates (Cisco ASA VPN termination point) using ISE. That way we limit VPN access to machines on the domain. The idea is similar to machine authentication using EAP-TLS, but over VPN.

I know you can't do EAP-TLS over VPN, but how is this achieved with ISE?

Thanks

Darren

17 Replies 17

It is a complex task. 

Cisco Secure Client will not use Machine certificate unless you create a client profile allowing machine certificates and place that XML on the client before connecting to ASA.

You need certificate+AAA combined authentication:

PeterKoltl_0-1685968543910.png

In RSA-RADIUS AAA group you should define RSA server which checks both AD-username/AD-password and the token code.

If you need Cisco ISE control (like AD group check), add ISE as an authorization server to the Connection Profile (it must be defined as Authorize-only so that ISE does not check password):

PeterKoltl_1-1685968755912.png     PeterKoltl_2-1685968827991.png

I hope that helps.

 

Thanks @Peter Koltl . I applied AAA+Certificate auth along with secondary authentication method selected to RSA server which basically only checks for token code along with no secondary username configured. ISE as primary AAA username and password integrated with AD, with authorization profile matching to radius class attributes 25 (ASA group policy name).I installed public certificate with cn defined as fqdn of VPN name user access to ( bind to public interface IP of ASA). I had to enable auto cert and no user controllable in preference part 2 of xml client profile to avoid certificate pop up when user tries to connect to profile and push it ahead of a time on user machine to make it work. Thanks anyways its all sorted out....Thanks again for the help.

Thanks @metafore  for the feedback, best possible news!