Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1814
Views
0
Helpful
1
Replies

FlexVPN - AnyConnect EAP-TLS Certificate-Based Client Authentication

dlucas
Level 1
Level 1

‎06-01-2018 02:02 PM - edited ‎03-12-2019 05:20 AM

Need to find out if the following is currently possible with FlexVPN:

Certificate-based client and server authentication using AnyConnect w/ ISE as the central AAA server for both authentication and authorization. I was thinking EAP-TLS would work, but doesn't appear to be an option for the anyconnect client??

If I could authenticate the user cert locally on the router, and perform authorization on ISE that would be OK as long as I can do per-user authorization - specifically, if I remove the user out of AD (ISE is AD integrated) then authorization will fail.

My main goal is to do certificate-based authentication, but have the ability to remove a user's VPN access without needing to mess with CRL revocation checking (which is a pain to get working).

Any comments/suggestions is appreciated.

 

-Thanks

 

Labels:
0 Helpful
1 Reply 1

Rob Ingram
VIP
VIP

‎06-02-2018 02:08 AM

Hi,

You can do certificate authentication, authentication would only be between the router and client. Authorization could be sent to ISE, you would use the name mangler to extract an attribute from the certificate to send to ISE to identify the user.

 

From my experience, I don't believe you can link an attribute extracted from a certificate (e.g username value) using the name-mangler to an AD account.....because the name-mangler will send a password to ISE, the default is "cisco".....this password will obviously be incorrect in AD. If you wanted to do this for this FlexVPN Policy, you have to create local ISE users and point to the Local Identity Store, the password would be static. The user does not need to know this password, it is purely for authorization.

 

When it comes to the client configuration you would create a profile in AnyConnect VPN Profile Editor, select the authentication method as "IKE-RSA"

 

Alternatively you could use Aggregate Authentication, this will require the use of Username/Password (can be from AD Identity Store) and certificates. So you could then make the user of an AD group permitting them VPN access and remove them when you no longer want them to have access. In the AnyConnect client profile you'd select EAP-AnyConnect.

 

HTH

 

0 Helpful
Customers Also Viewed These Support Documents