I finally made it and the double-authentication, username/pw (checked by a radius server) AND machine certificate-check, works. Additionally we keep the “match identity remote key-id ABC-Lab” from the old config.
In our case we use an Issuing-CA, and therefore we also need to create a secound trustpoint with the root CA certificate!
So here is a part of the final config for admins who facing the same task:
New IKEv2 Profile, compared with my first blog entry:
crypto ikev2 profile ikev2-profile_AnyConnect
match identity remote key-id ABC-Lab
authentication local rsa-sig
authentication remote anyconnect-eap aggregate cert-request
pki trustpoint tp_ABC-Issuing-CA-1
pki trustpoint tp_ABC-Root-CA
aaa authentication anyconnect-eap aaa-auth-radius
aaa authorization group anyconnect-eap list vpn-auth ikev2-author-policy_AnyConnect
The only question for which I couldn’t find an answer yet is, why does the user authentication with the radius server (Windows Server 2019) take place using PAP and not encrypted (CHAP)? This is a high security risk and actually a no-go. Does anyone know the reason why or how to change it?