The purpose of this document is to demonstrate how ISE authenticate / authorize a user that uses a smart card (PIN + Certificate) and password mechanism to login their system. This document describes the components used for this setup, configuration of ISE, settings of Cisco Any Connect configuration.xml.
The flow includes these steps:
- Domain users which is a part of AD group login to a domain machine with username and password. The protocols that supports authentication is EAP-FAST and MSCHAP-V2. ISE will validate the credentials against AD.
- Domain users which is a part of AD group login to a domain machine with smart card PIN. The protocols that supports authentication is EAP-FAST and EAP-TLS. PIN and certificate will be validated against two factor mechanism.
- Users will have a customized configuration.xml file which contains 2 profile that supports both password and smartcard authentication.
- ISE to be configured with protocols, identity source sequence (certificate and AD), authentication / authorization policies.
Components Used:
- Cisco ISE 2.7
- NAD - Cisco 3850 switch
- Cisco Any Connect NAM 4.9
- Certificate Authority (CA)
- Active Directory
- Endpoint: Microsoft Windows 10
- Gemalto 2FA
Refer the attached document for more information.