cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4087
Views
0
Helpful
2
Comments
paul1202
Level 1
Level 1

Hi All,

 

A customer wants to authenticate Anyconnect VPN users from an ASA using the client installed certificate and then with AD. i.e. Is this a corporate device?

Would we recommend authenticating the cert on the ASA then passing the AD check to ISE or can we do both on the ISE which is the preferred option?

The ASA is running 9.2.1 so I believe there is no requirement for an IPN as the ASA can do the CoA.

Any configuration guidelines would be appreciated.

If in the future they want to perform posturing on the Clients, would this affect the recommended solution above?

 

Regards,

 

Paul.

Comments
bern81
Level 1
Level 1

Hi Paul,

Authenticate the Cert on ASA and username against ISE connected to AD.

In any case you can NOT perform VPN Cert authentication on ISE (Works only for 802.1X Authentications).

One good hint is to perform Certificate to Tunnel-Group mapping on the ASA then in ISE you can perform a condition depending on the tunnel-Group name using the following condition studio:

Cisco-VPN3000·CVPN3000/ASA/PIX7x-Tunnel-Group-Name

Like this you can classify your VPN users and give a different DACL depending on which Tunnel-Group they belong.

 

Please rate if helpful

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: