Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
930
Views
0
Helpful
3
Replies

Anyconnect User and machine certificate sending to ASA and then to ISE

Cisco_user3
Level 1
Level 1

‎09-02-2019 02:51 AM

Hello,

I'm looking to use both certificate authentication at asa level and authorization on ISE.

Anyconnect is able to send both certificate to ASA.

but i'm not able to Send both certificate from asa to ISE, is that possible?

Someone already try this ? it is possible to implement it ?

Thanks for your help

@Philip D'Ath 

@Mohammed al Baqari 

@Marvin Rhoads 

@Rahul Govindan 

Labels:
0 Helpful
3 Replies 3

Rob Ingram
VIP
VIP

‎09-03-2019 10:12 AM

Hi,
VPN authentication using only certificates is between the client and ASA only. You can still do authorization for the user against ISE (configure authorization only mode under AAA Server Group). This relies on the CN value in the certificate matching a username in AD.

If you want to also authenticate against ISE, configure the tunnel-group for AAA and certificate. This will prompt for username and password to authenticate against ISE (internal user or AD) and a certificate (authenticated against the ASA).

HTH
0 Helpful

Cisco_user3
Level 1
Level 1
In response to Rob Ingram

‎09-04-2019 02:22 AM

Thank you RJI.

To goal is to maintain authentication on ASA  but autorization on ISE.

We are looking for autorization of both user and machine, but asa just sent one certificate not both.

The question is to know if it is possible to send both certificate (user + mùachine)

0 Helpful

sdfgdfgfddfdfgdf
Level 1
Level 1
In response to Cisco_user3

‎09-09-2019 02:38 AM - edited ‎09-10-2019 06:54 AM

Hi,

This looks similar to what I also want to achieve.

We could then authenticate both computer and user with less interaction by the user.

Two features which seem almost ideal, and nearly match the MS equivalent Always On seem to be:

  • Management VPN Tunnel
    • Connects before the user, and uses the Computer certificate for limited access.
  • Always-On VPN
    • Can be set to connect at login, and can use the User certificate for full access.

Unfortunately, these both use Trusted Network Detection, which conflicts.

Management VPN Tunnel connects fine, but then Always-On VPN doesn't because it is then on the (limited) network.

 

I wonder if anyone else has tried this and found any workarounds?

Or if there is anything in the pipeline form Cisco to get this working which will greatly improve user experience?

 

0 Helpful
Customers Also Viewed These Support Documents