Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1929
Views
5
Helpful
3
Replies

Cisco ASA VPN and CIsco ISE Smart Card Authentication (Certificate Only)

Go to solution
Johannes2110
Level 1
Level 1

‎11-28-2018 10:54 PM

Hi all,

 

So I have Cisco ASA as VPN gateway and using certificate only for authentication because I am using Smart Card, and I also have Cisco ISE that have to AAA the VPN user, but I want the authentication for every user do not need to input the username and password, they use only the smart card for authenticate and login for the VPN access.

There is any possible way to do that?

 

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎11-29-2018 11:10 AM

Interesting. I believe you can achieve this by using ISE (Radius) for Authorization only. Authentication will still happen via Certificate, but authorization will pick the username from the cert and send it to ISE. There you can use user/AD based policies to provide authorization permissions to the user (VPN filter etc.). You would have to add ISE as a Authorization server as seen below:

 

radius-authz.PNGI have not personally tried this exact scenario, but see no reason why this would not work. 

View solution in original post

3 Replies 3

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎11-29-2018 11:10 AM

Interesting. I believe you can achieve this by using ISE (Radius) for Authorization only. Authentication will still happen via Certificate, but authorization will pick the username from the cert and send it to ISE. There you can use user/AD based policies to provide authorization permissions to the user (VPN filter etc.). You would have to add ISE as a Authorization server as seen below:

 

radius-authz.PNGI have not personally tried this exact scenario, but see no reason why this would not work. 

Go to solution
Johannes2110
Level 1
Level 1
In response to Rahul Govindan

‎12-02-2018 11:32 PM

Hi Rahul,

 

Thank you that way is working

 

 

0 Helpful
Customers Also Viewed These Support Documents