Solved: Replace certificate with VPN

Da ICS16 · ‎01-21-2025

Dear Cisco Community,

We use ISE version 3.x both using LAN dot1x and VPN tunnel. ISE integration with AD for Authentication.

When user connect to VPN ( Cisco Secure Client ). It required to check AD user credential, PC certificate and OTP. It also check the Posture and policy we defined.

Is there another alternative solution to replace certificate with VPN? No require check certificate when user connect VPN.

If yes, how can we configure? Is it good practice or not? how about ISE security level?

If cannot do it, do we have the way to simplify from ISE admin / end users not challenge with certificate too much?

Thanks for update and supporting.

Rob Ingram · ‎02-12-2025

@Da ICS16 for the contractors (without a corporate device) you can create a different connection profile/tunnel group, this would be configured to use AD + OTP (not a certificate).

View solution in original post

Da ICS16 · ‎02-12-2025

Hello @Flavio Miranda @MHM Cisco World and Cisco Expert team.

Could you help to review and commend / advise whether is it possible to do it?

Please share your experience / solution to do it.

Thanks you.

Rob Ingram · ‎02-12-2025

@Da ICS16 If the VPN is using "AD user credential, PC certificate and OTP" then just using AD credentials AND OTP would be secure enough, so yes you could remove the requirement to user PC certificates.

The PC certificate authentication should be transparent to the users assuming the computer already has been issued with the certificate, this can be automated via Windows GPO. Requiring the use of a PC/machine certificate does ensure the computer the user is connecting from is a corporate issued device, so there maybe benefits of still using certificates.

Da ICS16 · ‎02-12-2025

Dear @Rob Ingram ,

Thanks for your commend.

It works fine with our cooperated devices which join our domain + GPO.

Could you share your advise with vendor devices (not cooperated device) that connect our VPN. To not use our certificate and not join domain by using another layer solution like Microsoft Authentication App or else? When they use their PC just connect with Cisco Secure Client VPN agent, Ad user credential + OTP.

Thanks,

Rob Ingram · ‎02-12-2025

@Da ICS16 for the contractors (without a corporate device) you can create a different connection profile/tunnel group, this would be configured to use AD + OTP (not a certificate).

Da ICS16 · ‎02-12-2025

Thanks @Rob Ingram Could you share the Cisco docs / link URL please.

Rob Ingram · ‎02-12-2025

@Da ICS16 you just create an additional connection profile, select the authentication methods (AD + OTP) and specify a unique group URL or alias for the contractors to connect to.

https://www.cisco.com/c/en/us/support/docs/network-management/remote-access/212424-anyconnect-remote-access-vpn-configurati.html

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client-v4x/221632-configure-anyconnect-vpn-to-ftd-via-ikev.html

Da ICS16 · ‎02-21-2025

Hello @Rob Ingram

Is it possible to integration with DUO?

Thanks,

Rob Ingram · ‎02-21-2025

@Da ICS16 yes, here are a few DUO examples:-

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-32/222208-configure-ssl-vpn-authentication-through.html

https://duo.com/docs/cisco-firepower

Da ICS16 · ‎02-24-2025

Hello @Rob Ingram ,

Thanks for sharing the docs.

Beside of integration with DUO, do we have another solution MFA?

Thanks,

Rob Ingram · ‎02-25-2025

@Da ICS16 Azure? - https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215935-configure-asa-anyconnect-vpn-with-micros.html

Da ICS16 · ‎03-05-2025

Regarding to the link you shared, can we test with FMC/FTD instead of ASA? thanks.

Rob Ingram · ‎03-05-2025

@Da ICS16 yes, FTD managed by the FMC has the same functionality as the ASA.

Flavio Miranda · ‎02-12-2025

@Da ICS16

Certificate life time is defined by network admin. You can stablish How long the certificate will be valid. For security reason, the life IS not recommended to be too long. Usually one year.

Da ICS16 · ‎02-21-2025

Hello @Flavio Miranda ,

Yes, we should consider the cert period as well.