06-29-2021 12:40 AM
Hi Experts!
Please help me out on the following requirement. Thanks in advance!
BACKGROUND
We have some third party contractors that remote-VPN via Anyconnect on our 5525-x firewall. They are NOT part of our Active Directory. We are deploying ISE in our environment & will be using it for authentication & authorization.
QUERY
These NON-Active Directory contractors can Anyconnect via any device or any machine they want. We need to limit them & allow only specific machines. Is there any way we could insert a certificate or something on their machine so that we only authorize those machines?
Any ideas will be appreciated.
06-29-2021 12:48 AM
You could generate a computer certificate, give the certificate to install into their computer certificate store. When they connect to the ASA, the ASA (not ISE) would authenticate the users only with a valid certificate + if using username/password as well, ISE would authenticate those credentials (just not the certificate).
06-29-2021 12:55 AM
Hi Rob! thanks for the quick reply.
If I have 50 computers then can the same computer certificate be installed on all of them?
If so then the contractor can easily install that certificate to another device & login from there right?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide