Solved: Does ASA5506 support EAP-TLS for IKEv2 remote-access?

train_wreck · ‎09-08-2018

I have an ASA5506 configured as an IKEv2 remote access VPN using certificate authentication, and am trying to work around the horrendously broken IKEv2 client on an iPhone 8. At the moment, it only supports using certificates with EAP-TLS; plain cert auth is broken, and has been for quite some time (Apple seems not to care). So, in order to use the IKEv2 client on the iPhone, your VPN server must support EAP-TLS. I have set up many Linux-based Strongswan servers that support this no problem, but I am having trouble finding out how to do this on an ASA. I am using CLI to configure, not Defense Center.

Is this supported? I hope so, as I would really not like to have to set up an entire EAP/RADIUS server just to handle this one stupid device.

Mohammed al Baqari · ‎09-10-2018

You need external server. FMC don't provide that. You can use NPS to
service this. I know ISE will integrate seamlessly. didn't try NPS

View solution in original post

Mohammed al Baqari · ‎09-09-2018

It is supported but you need NAC (example ISE) authenticate EAP-TLS.

Here is an example with PEAP

https://www.cisco.com/c/en/us/support/docs/security-vpn/webvpn-ssl-vpn/119208-config-asa-00.html

train_wreck · ‎09-09-2018

Can FirePOWER Defense Center provide these services? Or can they be provided via an external RADIUS server (Windows NPS, etc?

I do not have an ISE, and don't particularly want to invest that much in one.

Mohammed al Baqari · ‎09-10-2018

You need external server. FMC don't provide that. You can use NPS to
service this. I know ISE will integrate seamlessly. didn't try NPS

train_wreck · ‎09-10-2018

Thank you!

Mohammed al Baqari · ‎09-10-2018

Please remember to rate useful posts