cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

ISE ASA VPN Authentication

722
Views
0
Helpful
2
Comments

Hi All,

 

A customer wants to authenticate Anyconnect VPN users from an ASA using the client installed certificate and then with AD. i.e. Is this a corporate device?

Would we recommend authenticating the cert on the ASA then passing the AD check to ISE or can we do both on the ISE which is the preferred option?

The ASA is running 9.2.1 so I believe there is no requirement for an IPN as the ASA can do the CoA.

Any configuration guidelines would be appreciated.

If in the future they want to perform posturing on the Clients, would this affect the recommended solution above?

 

Regards,

 

Paul.

Comments
Beginner

Hi Paul,

Authenticate the Cert on ASA and username against ISE connected to AD.

In any case you can NOT perform VPN Cert authentication on ISE (Works only for 802.1X Authentications).

One good hint is to perform Certificate to Tunnel-Group mapping on the ASA then in ISE you can perform a condition depending on the tunnel-Group name using the following condition studio:

Cisco-VPN3000·CVPN3000/ASA/PIX7x-Tunnel-Group-Name

Like this you can classify your VPN users and give a different DACL depending on which Tunnel-Group they belong.

 

Please rate if helpful