Anyconnect

bluesea2010 · ‎07-22-2022

Hi,

I am using anyconnect for remote acess , the authentication and anutorization done b ise , Now I want to do an additional layer of protection based on certificate. The RA users are corporate and contractors ?

How can I do the above

Please help

Rob Ingram · ‎07-23-2022

@bluesea2010 for your corporate users, you can distribute the certificate using GPO (assuming you have Active Directory domain), this is straight forward. Certificate authentication is between the client and the ASA/FTD, but you can send authorisation to ISE based on the certificate information.

Assuming the contractors do not have a corporate device they are connecting from, then it's hard to distribute a certificate to these users. You could create a different connection profile/tunnel-group and authenticate just those users via another method, either Username/Password or with 2FA, such as Duo.

bluesea2010 · ‎07-23-2022

Hi @Rob Ingram

When you say certificate authentication , user certificate or machine certificate ?.

I have already duo for two factor authentication

If I want to do posture checkup on the user device what license( any connect) I need on ASA

Thanks

Rob Ingram · ‎07-23-2022

@bluesea2010 either user or machine certificate.

Use Duo for users without a corporate machine then.

If you want to do posture on the ASA then you need to use HostScan, which requires the AnyConnect Apex license. https://www.cisco.com/c/en/us/products/collateral/security/anyconnect-og.html

Or as you have ISE, you can use ISE Posture Module - which also required Anyconnect Apex licenses and ISE Premier license. https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/qa-c67-744190.html