cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
676
Views
0
Helpful
4
Replies

AnyConnect 4.0 Integration with ISE Version 1.3. Certificate

dgolovach
Level 1
Level 1

Hi all!

Is it possible to configure ISE 1.3 for provisioning AnyConnect 4.0 and pushing certificate (as by using native supplicant)? So, after that, AnyConnect will be able to use EAP-TLS and cert for network access.

It will be great, if it is possible with disabled VPN Module

 

Thank you

4 Replies 4

Marvin Rhoads
Hall of Fame
Hall of Fame

Yes. This is a relatively commonly implemented use case.

Thank you for your reply.

Where can I read about how to do this?

I can provision AnyConnect with client EAP-TLS authe and it works if there is existing certificate at client PC. If there is no certificate, NAM is not provisioning it to the client.

 

Thank you

Please have a look at the two How To: BYOD... documents on the ISE Design Guides page.

Specifically, note around page 34 and onward in the 2nd document where they talk about setting up the Simple Certificate Enrollment Protocol (SCEP) profile and server.

Marvin,

yes, I'm aware of SCEP configuration in ISE, and it works fine with NSP. If using NSP, it will talk to ISE and provision certificate for the Windows client just fine. What I'm wondering is how to make it work without NSP, аnd with CPP for Anyconnect. When client connects with CPP portal and gets Anyconnect with NAM install, there are no options in XML profile for NAM to do SCEP provisioning. I'm trying to understand how to get certificate to the client in this situation. 

Thanks!

Review Cisco Networking for a $25 gift card