Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2943
Views
0
Helpful
0
Replies

Anyconnect profile with smartcard authentication

amir.glibic
Level 1
Level 1

‎08-08-2019 06:57 AM

Hi,

 

we have a request from a customer to create a new VPN remote access with smartcard.

Customer already uses different profiles, one with simple user/pw credentials, another one with RSA tokencode, and a third one with machine certificate.

 

Now, he wants to move away from tokencode and machine certificates and use his new Gemalto smart cards + PIN to authenticate via AnyConnect.

 

The customer has also an ISE in place.

 

I found some different guides, e.g. an older one for ASA only: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/107251-cac-anyconnect-vpn-windows.html

 

Here I have 2 problems: 

 

1.) Customer has currently only IPSec-Profiles in place. If I try to do the steps from the guide but as IPSec, it works partly. AC client prompts for the certificate, but if I choose the correct one, the connection is established without asking me for the PIN code. The fact, that the certificate is issued by the trusted CA, is enough to allow the access.

 

2.) Then I tried creating SSL-profiles via ASDM wizard, because I assumed that with IPSec the PIN-prompt isn't available.

But everytime I create an SSL-Profile, I get an error "Cannot connect to this gateway. Please choose another gateway and try again."

I'm not sure why I'm getting this via AC client, because via Browser the portal is reachable properly. 

DNS is OK, certificate is OK, telnet 443 works.

Since we don't have any SSL-profile in place yet, I assume that this may be some kind of global setting on the firewall. (same problems occured already earlier, that's the reason why we don't have any SSL-profiles yet.) 

 

My other option would be to implement this via ISE - but I'm a total noob regarding ISE. My colleague who is more specialized is currently unavailable for the next few weeks. The only guide I found on smartcard/ISE is this one:

 

https://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_admin.pdf

 

But as far as I understand, this describes only how to change the Administrator access to ISE to smartcard+PIN, not how to authenticate a simple VPN user.

 

 

Since I assume that AnyConnect VPN via smart card + PIN should be a common scenario, I'm a bit confused that there is so little information/guides about it.

 

Has anyone already implemented something like that? Any hints how to implement this (with/without ISE)?

 

Thanks in advance!

2 people had this problem
Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents