cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

ISE as RADIUS server for Password + Smart Card Authentication using Cisco AnyConnect NAM

1161
Views
15
Helpful
1
Comments
deepuvarghese1
Beginner

The purpose of this document is to demonstrate how ISE authenticate / authorize a user that uses a smart card (PIN + Certificate) and password mechanism to login their system. This document describes the components used for this setup, configuration of ISE, settings of Cisco Any Connect configuration.xml.

 

The flow includes these steps:

  • Domain users which is a part of AD group login to a domain machine with username and password. The protocols that supports authentication is EAP-FAST and MSCHAP-V2. ISE will validate the credentials against AD.
  • Domain users which is a part of AD group login to a domain machine with smart card PIN. The protocols that supports authentication is EAP-FAST and EAP-TLS. PIN and certificate will be validated against two factor mechanism.
  • Users will have a customized configuration.xml file which contains 2 profile that supports both password and smartcard authentication.
  • ISE to be configured with protocols, identity source sequence (certificate and AD), authentication / authorization policies.

Components Used:

  • Cisco ISE 2.7
  • NAD - Cisco 3850 switch
  • Cisco Any Connect NAM 4.9
  • Certificate Authority (CA)
  • Active Directory
  • Endpoint: Microsoft Windows 10
  • Gemalto 2FA

Refer the attached document for more information.

1 Comment
NiTech
Beginner

 This is truly above and beyond and  so great I think others could benefit from learning about it.

One of the best secured Eap Chian  methodology and it will support both certificate and AD authentication.we have implimented in one of the  deployment which have 10000 machines and works seamlessly.

Create
Recognize Your Peers
Content for Community-Ad