02-14-2013 09:18 AM - edited 03-10-2019 08:05 PM
Is it possible to do certificate/machine authentication for VPN users (ipads, smartphones) with ISE/iPEP?
If I set the ASA to do RADIUS authentication (pointed to the ipep) the user gets a username/password box from AnyConnect. I don't see a way to trigger the AnyConnect client to send a certificate.
02-14-2013 07:18 PM
I don't believe so. At the moment there isn't a EAP type VPN that is supported in ISE. The only EAP based VPN is EAP-AnyConnect which is dependent on IKEv2 and not supported by ISE/ACS.
I am by no means a VPN expert so anybody out there feel free to chime in
Thank you for rating!
02-27-2013 02:15 AM
Hi,
I am having the same issue too.
I have read the BYOD Cisco Validated design document and it documents a setup where you use the ASA for certificate authentication and then the ISE for authorization...
Only thing is that it does not use an inline posture ISE... instead you have to use the ASA & AnyConnect client to perform all posturing.
Also, in my case, I am using the ISE with the NAC agent for wireless and it is not clear whether it is possible to have the new AnyConnect client and the Cisco NAC agent on the same machine. Or whether the AnyConnect client completely replaces the NAC agent and handles all the wireless stuff as well as VPN...
If anyone can clarify that would be great.
thanks
Mario
02-27-2013 07:14 AM
I got it working doing certificate authentication on the ASA plus RADIUS which points to the iPEP which points to ISE which points to Active Directory. Works beautifully.
You can have the NAC Agent & AnyConnect on the same machine, that's what we're doing. Word on the street is by the end of this calendar year the NAC agent will be rolled into AnyConnect.
03-14-2013 03:06 AM
Thanks very much for your input...
Can I ask...
On the ISE, are you just performing AD authentication? Or have you tried adding another external database for RSA Tokens so that the ISE must match both AD credentials AND RSA Token Credentials before permitting access to the network?
Can I also ask...
Are you performing any posturing / remediation? If so, are you doing this on the ASA with AnyCOnnect client and Advanced Endpoint licenses or are you doing this on the ISE using the iPEP..?
And one last question... hope you dont mind...
Are your VPNs IPSec or SSL?
Thanks very much for your help so far!
Mario
03-14-2013 08:58 AM
marioderosa2008 wrote:
Thanks very much for your input...
Can I ask...
On the ISE, are you just performing AD authentication? Or have you tried adding another external database for RSA Tokens so that the ISE must match both AD credentials AND RSA Token Credentials before permitting access to the network?
I ended up changing it to RSA authentication succesfully. One caveat though is the AnyConnect client doesn't get RSA-specific messages, so the prompt is username & password, but if you put your passcode in the password box it authenticates to RSA succesfully. We did certificate + RSA-only authentication but I believe there is a way to tie RSA to AD (suck in the users and if I remember correctly the groups as well, maybe just the users though).
Can I also ask...
Are you performing any posturing / remediation? If so, are you doing this on the ASA with AnyCOnnect client and Advanced Endpoint licenses or are you doing this on the ISE using the iPEP..?
I did enable posture assessment/remediation via ISE with the iPEP. I gotta say after this experience though I would not recommend the iPEP. Cisco is hoping to get CoA in ASA code the 4th quarter of this year which would make the iPEP irrelevant for VPN posture assessment. If you can't wait that long I'd consider doing posture assessment with the ASA.
And one last question... hope you dont mind...
Are your VPNs IPSec or SSL?
SSL full-client
Thanks very much for your help so far!
Mario
07-18-2013 05:33 AM
Kindly review the below link:
http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bea904.shtml
07-18-2013 08:43 AM
Currently ASA does not send radius caling station id in radius pkts. so it may be not able to do same device onboarding as BYOD.
Sent from Cisco Technical Support iPad App
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: