The purpose of this document is to demonstrate how ISE authenticate / authorize a user that uses a smart card (PIN + Certificate) and password mechanism to login their system. This document describes the components used for this setup, configuration of ISE, settings of Cisco Any Connect configuration.xml.
The flow includes these steps:
Domain users which is a part of AD group login to a domain machine with username and password. The protocols that supports authentication is EAP-FAST and MSCHAP-V2. ISE will validate the credentials against AD.
Domain users which is a part of AD group login to a domain machine with smart card PIN. The protocols that supports authentication is EAP-FAST and EAP-TLS. PIN and certificate will be validated against two factor mechanism.
Users will have a customized configuration.xml file which contains 2 profile that supports both password and smartcard authentication.
ISE to be configured with protocols, identity source sequence (certificate and AD), authentication / authorization policies.