Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2874
Views
0
Helpful
7
Replies

VPN Certificate Authentication Through ISE iPEP

AJ Cruz
Level 3
Level 3

‎02-14-2013 09:18 AM - edited ‎03-10-2019 08:05 PM

Is it possible to do certificate/machine authentication for VPN users (ipads, smartphones) with ISE/iPEP?

If I set the ASA to do RADIUS authentication (pointed to the ipep) the user gets a username/password box from AnyConnect. I don't see a way to trigger the AnyConnect client to send a certificate.

Labels:
0 Helpful
7 Replies 7

nspasov
Cisco Employee
Cisco Employee

‎02-14-2013 07:18 PM

I don't believe so. At the moment there isn't a EAP type VPN that is supported in ISE. The only EAP based VPN is EAP-AnyConnect which is dependent on IKEv2 and not supported by ISE/ACS.

I am by no means a VPN expert so anybody out there feel free to chime in

Thank you for rating!

0 Helpful

marioderosa2008
Level 1
Level 1

‎02-27-2013 02:15 AM

Hi,

I am having the same issue too.

I have read the BYOD Cisco Validated design document and it documents a setup where you use the ASA for certificate authentication and then the ISE for authorization...

Only thing is that it does not use an inline posture ISE... instead you have to use the ASA & AnyConnect client to perform all posturing.

Also, in my case, I am using the ISE with the NAC agent for wireless and it is not clear whether it is possible to have the new AnyConnect client and the Cisco NAC agent on the same machine. Or whether the AnyConnect client completely replaces the NAC agent and handles all the wireless stuff as well as VPN...

If anyone can clarify that would be great.

thanks

Mario

0 Helpful

AJ Cruz
Level 3
Level 3
In response to marioderosa2008

‎02-27-2013 07:14 AM

I got it working doing certificate authentication on the ASA plus RADIUS which points to the iPEP which points to ISE which points to Active Directory. Works beautifully.

You can have the NAC Agent & AnyConnect on the same machine, that's what we're doing. Word on the street is by the end of this calendar year the NAC agent will be rolled into AnyConnect.

0 Helpful

marioderosa2008
Level 1
Level 1
In response to AJ Cruz

‎03-14-2013 03:06 AM

Thanks very much for your input...

Can I ask...

On the ISE, are you just performing AD authentication? Or have you tried adding another external database for RSA Tokens so that the ISE must match both AD credentials AND RSA Token Credentials before permitting access to the network?

Can I also ask...

Are you performing any posturing / remediation? If so, are you doing this on the ASA with AnyCOnnect client and Advanced Endpoint licenses or are you doing this on the ISE using the iPEP..?

And one last question... hope you dont mind...

Are your VPNs IPSec or SSL?

Thanks very much for your help so far!

Mario

0 Helpful

AJ Cruz
Level 3
Level 3
In response to marioderosa2008

‎03-14-2013 08:58 AM 

marioderosa2008 wrote:
 Thanks very much for your input...
Can I ask...
On the ISE, are you just performing AD authentication? Or have you tried adding another external database for RSA Tokens so that the ISE must match both AD credentials AND RSA Token Credentials before permitting access to the network?
I ended up changing it to RSA authentication succesfully. One caveat though is the AnyConnect client doesn't get RSA-specific messages, so the prompt is username & password, but if you put your passcode in the password box it authenticates to RSA succesfully. We did certificate + RSA-only authentication but I believe there is a way to tie RSA to AD (suck in the users and if I remember correctly the groups as well, maybe just the users though).
Can I also ask...
Are you performing any posturing / remediation? If so, are you doing this on the ASA with AnyCOnnect client and Advanced Endpoint licenses or are you doing this on the ISE using the iPEP..?
I did enable posture assessment/remediation via ISE with the iPEP. I gotta say after this experience though I would not recommend the iPEP. Cisco is hoping to get CoA in ASA code the 4th quarter of this year which would make the iPEP irrelevant for VPN posture assessment. If you can't wait that long I'd consider doing posture assessment with the ASA.
And one last question... hope you dont mind...
Are your VPNs IPSec or SSL?
SSL full-client
Thanks very much for your help so far!
Mario
0 Helpful

Shaoqin Li
Level 3
Level 3

‎07-18-2013 08:43 AM

Currently ASA does not send radius caling station id in radius pkts. so it may be not able to do same device onboarding as BYOD.

Sent from Cisco Technical Support iPad App

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents