cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1848
Views
15
Helpful
1
Comments
deepuvarghese1
Beginner
Beginner

The purpose of this document is to demonstrate how ISE authenticate / authorize a user that uses a smart card (PIN + Certificate) and password mechanism to login their system. This document describes the components used for this setup, configuration of ISE, settings of Cisco Any Connect configuration.xml.

 

The flow includes these steps:

  • Domain users which is a part of AD group login to a domain machine with username and password. The protocols that supports authentication is EAP-FAST and MSCHAP-V2. ISE will validate the credentials against AD.
  • Domain users which is a part of AD group login to a domain machine with smart card PIN. The protocols that supports authentication is EAP-FAST and EAP-TLS. PIN and certificate will be validated against two factor mechanism.
  • Users will have a customized configuration.xml file which contains 2 profile that supports both password and smartcard authentication.
  • ISE to be configured with protocols, identity source sequence (certificate and AD), authentication / authorization policies.

Components Used:

  • Cisco ISE 2.7
  • NAD - Cisco 3850 switch
  • Cisco Any Connect NAM 4.9
  • Certificate Authority (CA)
  • Active Directory
  • Endpoint: Microsoft Windows 10
  • Gemalto 2FA

Refer the attached document for more information.

1 Comment
NiTech
Beginner
Beginner

 This is truly above and beyond and  so great I think others could benefit from learning about it.

One of the best secured Eap Chian  methodology and it will support both certificate and AD authentication.we have implimented in one of the  deployment which have 10000 machines and works seamlessly.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: