AnyConnect 4.0 Integration with ISE Version 1.3. Certificate

dgolovach · ‎05-07-2015

Hi all!

Is it possible to configure ISE 1.3 for provisioning AnyConnect 4.0 and pushing certificate (as by using native supplicant)? So, after that, AnyConnect will be able to use EAP-TLS and cert for network access.

It will be great, if it is possible with disabled VPN Module

Thank you

Marvin Rhoads · ‎05-07-2015

Yes. This is a relatively commonly implemented use case.

dgolovach · ‎05-15-2015

Thank you for your reply.

Where can I read about how to do this?

I can provision AnyConnect with client EAP-TLS authe and it works if there is existing certificate at client PC. If there is no certificate, NAM is not provisioning it to the client.

Thank you

Marvin Rhoads · ‎05-15-2015

Please have a look at the two How To: BYOD... documents on the ISE Design Guides page.

Specifically, note around page 34 and onward in the 2nd document where they talk about setting up the Simple Certificate Enrollment Protocol (SCEP) profile and server.

dgolovach · ‎05-22-2015

Marvin,

yes, I'm aware of SCEP configuration in ISE, and it works fine with NSP. If using NSP, it will talk to ISE and provision certificate for the Windows client just fine. What I'm wondering is how to make it work without NSP, аnd with CPP for Anyconnect. When client connects with CPP portal and gets Anyconnect with NAM install, there are no options in XML profile for NAM to do SCEP provisioning. I'm trying to understand how to get certificate to the client in this situation.

Thanks!