Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
512
Views
0
Helpful
4
Replies

Cisco AnyConnect-Machine Auth Cert & Cisco ISE for Authorisation

Go to solution
Jay233
Level 1
Level 1

‎02-01-2024 09:01 AM

Hi All,

Looking for documentation around Cisco AnyConnect using Machine Auth backed off to Cisco ISE/AD.

Current VPN works fine but only uses username and password, our new requirements are to restrict connectivity and access to only on corporate devices. Clients joined to the domain have valid machine certs.

AnyConnect requirements - Use AD username and password and machine certificates via Cisco ISE to authorise connections.  

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎02-01-2024 09:07 AM

@Jay233  the machine certificate authentication is not sent to ISE. AnyConnect certificate authentication is between the client and the ASA/FTD. Username/Password credentials are still sent to ISE for authentication.

Amend your tunnel-group/connection profile for dual authentication.

tunnel-group <NAME> webvpn-attributes
 authentication aaa certificate

Configure the AnyConnect XML profile to look at the machine certificate store and redeploy to devices.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Rob Ingram
VIP
VIP

‎02-01-2024 09:07 AM

@Jay233  the machine certificate authentication is not sent to ISE. AnyConnect certificate authentication is between the client and the ASA/FTD. Username/Password credentials are still sent to ISE for authentication.

Amend your tunnel-group/connection profile for dual authentication.

tunnel-group <NAME> webvpn-attributes
 authentication aaa certificate

Configure the AnyConnect XML profile to look at the machine certificate store and redeploy to devices.

0 Helpful

Go to solution
Jay233
Level 1
Level 1

‎02-22-2024 03:13 AM

Many thanks for the replies, I still have an issue regarding my trustpoint CA/ID certificates.

I need to create a trust point for the FTD/FMC which is signed to both issuing Intermediate CAs, the solution currently works but only if the client has been issued a machine cert from ISSUING CA01, clients with certs issued from ISSUING CA02 fail due to no cert path in the trust relationship.

I have read that one can add sub CA's using OpenSSL creating a  PKCS12 file as an example, does anyone have experience or any documentation on the procedure to add multiple sub CA's .

Example from 215849-certificate-installation-and-renewal-on.pdf (cisco.com)

 If the certificate is a part of a chain with a root CA and 1 or more intermediate CAs, this command can be
used to add the complete chain in the PKCS12:
openssl pkcs12 -export -out ftd.pfx -in ftd.crt -inkey private.key -chain -CAfile cachain.pem
Enter Export Password: *****
Verifying - Enter Export Password: *****

Having issues following this document to create a full chain including both SUB issuing CA's, any help would be greatly appreciated.

 

0 Helpful

Go to solution
Jay233
Level 1
Level 1

‎02-22-2024 03:55 AM

Also quick question, my AnyConnect profile is using machine certificates plus AAA for client logins.

In ISE we can see PAP radius requests coming in but only client username/password and client MAC address, should we also see the machine name stripped from the certificate being sent or is this authentication only between the AnyConnect client and the FTD?

In my ISE policy conditions I had domain computers and domain users/vpn groups to return a positive accept result, removed domain computers condition allowed users to successfully login. 

How do I verify that machine certificates are actually being used?

 

0 Helpful
Customers Also Viewed These Support Documents