Hello, I had a couple of questions I was hoping some in the Community could help me answer. I'm setting up a new deployment which consists of the following: Critical Applications & Services Cisco ISE 2.1 Cisco ASA 5525, v9.5 AnyConnect Mobility Client v4.2 RSA SecurID Server - don't remember the version, but it is fairly updated Need: Remote VPN session (AnyConnect 4.x) client o Wants to build 2 policies SBL – validation with certificate installed, limited access to network Full – UserPASS (RSA token exchange); MachinePASS (certificate exchange) I know that within Cisco ASA, I can setup an AnyConnect VPN profile to perform both a Certificate as well as a RADIUS based authentication. Basically the ASA would query and validate the Certificate, and then forward a RADIUS request for User authentication - in this case to the Cisco ISE, which then is associated with the 3rd party RSA server. What I was trying to do was to have the Cisco ISE support both certificate & RSA authentication, but feedback I've received so far seems to indicate such is not possible at this time. Such would be possible with EAP-Chaining, but EAP-Chaining is only possible for WIRED/WIRELESS deployments and not with VPN deployments (AnyConnect NAM isn't supported for VPN it appears). My questions come down to the following: 1) Are Certificate & User-based authentications as described above planned in the near future to be possible on the ISE for VPN authentications? 2) Is EAP-Chaining ever planned to be available for VPN connections? 3) Does anyone have a good reference, website or suggestion where I can look and review regarding Best Practice configurations for Cisco ASA, AnyConnect VPN with 2-factor authentications? Thanks for your help.
... View more
