Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
136
Views
0
Helpful
0
Comments

Using Cisco ISE with Microsoft AOVPN

yauda
Spotlight
Spotlight

on ‎05-27-2026 06:20 AM

Introduction

The aim of this article is showing how to use Cisco ISE with Microsoft AOVPN

What is AOVPN?

Microsoft Always On VPN (AOVPN) is a modern, native Windows 10/11 remote access solution that provides automatic, persistent, and secure connectivity for enterprise users. It replaces DirectAccess, supporting both domain-joined and non-domain-joined devices via IKEv2 or SSTP, with features like pre-logon device tunnels and split tunneling for optimized performance.

 

The two core components of an Always On VPN infrastructure:

1-VPN servers such as Microsoft Routing and Remote Access Service (RRAS), used as VPN Gateway for terminating VPN connections from clients on the internet.

Note: VPN Client used is native, this is the VPN client software that's built into Windows

2-Authentication Servers: RADIUS servers such as Microsoft Network Policy Server (NPS), is used to provide authentication for our VPN clients that are connecting to the VPN server.

 

Picture1.png

In the above figure we can see environment where two RRAS (VPN)  servers acting as VPN gateway which receive VPN connections requests and pass it to NPS (Authentication) servers where authentication happen and users will be checked against active directory groups.

Background Information

We need to use Cisco ISE PSNs instead of Microsoft NPS servers
We assume in this scenario we have two RRAS

We are assuming all VPN users exist in Active Directory Gorup called “Windows 10 -11 - Always On Users”
Screenshot 2026-05-26 155945.png

Prerequisites

Knowledge of Cisco ISE Network Access and Microsoft AOVPN

 

Components Used

    ISEv3.2 Patch 9 

ISE Configuration as AOVPN Authentication Server

1- Create a Network Device Group for RRAS servers called “AOVPN_RRAS” which belong to parent group “Device Model”
Picture2.png

2- Add the two RRAS servers as Network Access Device (NAD)

Picture3.png
Picture4.png

We added unique RADIUS shared key for RRAS servers (you can ask Network team for it)

We do the same above for S02D-AOVPN03
Picture5.png

3- Retrieve AD user groups that used for AOVPN users
We have four groups must be retrieved:

  • Windows 10 -11 - Always On Users

    Navigate to Administration > Identity Management > External Identity Sources > Active Directory, click your join point, go to the Groups tab, and click Add > Select Groups from Directory.


    4- Create Certificate Authentication Profile called “AOVPN_CAP” that use Indetity store “MY_AD” which is our AD joint point name  and use “Subject Alternative Name” for Certificate Attribute.


    5- Create  Identity Source Sequence called “AOVPN_ISS”  which use Certificate Authentication Profile called “AOVPN_CAP” and use “my_AD” for Authentication.


    6- Create Policy set for AOVPN connections called “AOVPN” and has compound condition that capture requests coming from any NAD with Device Model “AOVPN_RRAS” and Radius NAS port type is Virtual.

    We use our  Allowed protocols MAB_EAP_TLS-FAST

     

    Note: The RADIUS attribute NAS-Port-Type (Attribute 61) with the value Virtual (5) indicates that a session is established over a non-physical, logical interface, commonly used for VPNs, tunneling, or virtualized services.

    Screenshot 2026-05-26 155505.png

    Note: Make sure this policy set is moved to the top of your Policy sets

     

    7- Create Authentication Rule called “AOVPN_AuthC_Rule” which has condition  that capture requests coming from any NAD with Device Model “AOVPN_RRAS” and use our Identity Source Sequence called “AOVPN_ISS”   for authentication.

    Screenshot 2026-05-26 155639.png


    8- Create Authorization Rule called “AOVPN_AuthZ_Rule”

    Screenshot 2026-05-26 160444.png

    The logic behind this rule is as follows ,

    • EAP-TLS means the authentication method must be certificate-based (EAP-TLS).
    • Radius-Framed-Protocol = PPP means the session is using PPP (common for VPN).
    • Radius-Service-Type = Framed , which means RADIUS Service-Type = Framed (value 2) indicates a user should be granted access to a network via a framed protocol, such as PPP or SLIP. It is commonly used to designate that a session, often established via 802.1x.
    • Certificate is not expired → CERTIFICATE: Is Expired = false
    • User must be member in one of the following AD groups:
    • User is in Windows 10 11- Always On Users
    •  
    • Certificate used by the user or computer must be issued by mycompany-ca01

    All above applies only to valid certificate-based VPN connections (EAP-LS over PPP)



0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents