I'm preparing for a potential smart card requirement for VPN access and I'm struggling to figure out how it should work.
Currently I have the ASAs sending RADIUS to ISE, which then authenticates against RSA SecurID. ISE is there for the compliance aspect to ensure patches are applied, etc. before the VPN client can connect.
Can smart card be used in this type of scenario? I don't understand what the traffic flow would then be. I know ASA can do smart card authentication and then use LDAP to validate Active Directory group memberships and such, but I'm not sure how this works with ISE in play. Can the ASA still send RADIUS to ISE and ISE use Active Directory as the external identity source? Will that even work with certificates?
Assuming this can work with ISE querying Active Directory, do I have to set it as an Active Directory type, or can it use simple LDAP?
