05-07-2015 02:57 PM - edited 02-21-2020 05:28 AM
Hi all!
Is it possible to configure ISE 1.3 for provisioning AnyConnect 4.0 and pushing certificate (as by using native supplicant)? So, after that, AnyConnect will be able to use EAP-TLS and cert for network access.
It will be great, if it is possible with disabled VPN Module
Thank you
05-07-2015 08:49 PM
Yes. This is a relatively commonly implemented use case.
05-15-2015 08:03 AM
Thank you for your reply.
Where can I read about how to do this?
I can provision AnyConnect with client EAP-TLS authe and it works if there is existing certificate at client PC. If there is no certificate, NAM is not provisioning it to the client.
Thank you
05-15-2015 10:13 AM
Please have a look at the two How To: BYOD... documents on the ISE Design Guides page.
Specifically, note around page 34 and onward in the 2nd document where they talk about setting up the Simple Certificate Enrollment Protocol (SCEP) profile and server.
05-22-2015 01:56 PM
Marvin,
yes, I'm aware of SCEP configuration in ISE, and it works fine with NSP. If using NSP, it will talk to ISE and provision certificate for the Windows client just fine. What I'm wondering is how to make it work without NSP, аnd with CPP for Anyconnect. When client connects with CPP portal and gets Anyconnect with NAM install, there are no options in XML profile for NAM to do SCEP provisioning. I'm trying to understand how to get certificate to the client in this situation.
Thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide