Anyconnect clients establish VPN tunnels to an ASA and are authenticated using an OTP server and AD (primary and secondary configuration under the connection profile). For AD, the ASA sends the authentication request to ISE which is integrated with AD. Clients are associated to different group-policies depending on which AD group they belong to.
We would like to add machine authentication to this, is is possible to additionally check that the client machine is also present and active in AD?
Solved! Go to Solution.
Thanks for your reply Rahul.
We had already tested the ASA posture / registry key option which worked fine.
My customer asked the question, so I just wanted to make sure I wasn't missing an option that could be used.
Hi @Rahul Govindan, i tried to search over the internet about VPN 802.1x for machine certificate authentication then I saw this post. Can you provide me a link that tells that 802.1x VPN with machine certificate authentication is unsupported? thanks
@fatalXerror: VPN does not use 802.1x. The machine credentials I was referring to was the credentials the machine uses for 802.1x prior to user login (created when machine joins the domain). You can definitely do client certificate authentication using machine certs with the ASA and AnyConnect VPN client.