cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

ISE as RADIUS server for Password + Smart Card Authentication using Cisco AnyConnect NAM

1583
Views
15
Helpful
1
Comments
deepuvarghese1
Beginner

The purpose of this document is to demonstrate how ISE authenticate / authorize a user that uses a smart card (PIN + Certificate) and password mechanism to login their system. This document describes the components used for this setup, configuration of ISE, settings of Cisco Any Connect configuration.xml.

 

The flow includes these steps:

  • Domain users which is a part of AD group login to a domain machine with username and password. The protocols that supports authentication is EAP-FAST and MSCHAP-V2. ISE will validate the credentials against AD.
  • Domain users which is a part of AD group login to a domain machine with smart card PIN. The protocols that supports authentication is EAP-FAST and EAP-TLS. PIN and certificate will be validated against two factor mechanism.
  • Users will have a customized configuration.xml file which contains 2 profile that supports both password and smartcard authentication.
  • ISE to be configured with protocols, identity source sequence (certificate and AD), authentication / authorization policies.

Components Used:

  • Cisco ISE 2.7
  • NAD - Cisco 3850 switch
  • Cisco Any Connect NAM 4.9
  • Certificate Authority (CA)
  • Active Directory
  • Endpoint: Microsoft Windows 10
  • Gemalto 2FA

Refer the attached document for more information.

1 Comment
Create
Recognize Your Peers
Content for Community-Ad