cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2154
Views
3
Helpful
14
Replies

Replace certificate with VPN

Da ICS16
Level 1
Level 1

Dear Cisco Community,

We use ISE version 3.x both using LAN dot1x and VPN tunnel. ISE integration with AD for Authentication.

When user connect to VPN ( Cisco Secure Client ). It required to check AD user credential, PC certificate and OTP. It also check the Posture and policy we defined.

Is there another alternative solution to replace certificate with VPN? No require check certificate when user connect VPN.

If yes, how can we configure? Is it good practice or not? how about ISE security level?

If cannot do it, do we have the way to simplify from ISE admin / end users not challenge with certificate too much? 

Thanks for update and supporting.

 

 

1 Accepted Solution

Accepted Solutions

@Da ICS16 for the contractors (without a corporate device) you can create a different connection profile/tunnel group, this would be configured to use AD + OTP (not a certificate).

 

View solution in original post

14 Replies 14

Da ICS16
Level 1
Level 1

Hello @Flavio Miranda @MHM Cisco World and Cisco Expert team.

Could you help to review and commend / advise whether is it possible to do it?

Please share your experience / solution to do it.

Thanks you.

@Da ICS16 If the VPN is using "AD user credential, PC certificate and OTP" then just using AD credentials AND OTP would be secure enough, so yes you could remove the requirement to user PC certificates.

The PC certificate authentication should be transparent to the users assuming the computer already has been issued with the certificate, this can be automated via Windows GPO. Requiring the use of a PC/machine certificate does ensure the computer the user is connecting from is a corporate issued device, so there maybe benefits of still using certificates.

Dear @Rob Ingram ,

Thanks for your commend.

It works fine with our cooperated devices which join our domain + GPO.

Could you share your advise with  vendor devices (not cooperated device) that connect our VPN. To not use our certificate and not join domain by using another layer solution like Microsoft Authentication App or else? When they use their PC just connect with Cisco Secure Client VPN agent, Ad user credential + OTP.

Thanks, 

 

 

@Da ICS16 for the contractors (without a corporate device) you can create a different connection profile/tunnel group, this would be configured to use AD + OTP (not a certificate).

 

Thanks @Rob Ingram Could you share the Cisco docs / link URL please.

Hello @Rob Ingram 

Is it possible to integration with DUO?

Thanks,

Hello @Rob Ingram ,

Thanks for sharing the docs.

Beside of integration with DUO, do we have another solution MFA?

Thanks,

Regarding to the link you shared, can we test with FMC/FTD instead of ASA? thanks.

@Da ICS16 yes, FTD managed by the FMC has the same functionality as the ASA.

@Da ICS16 

Certificate life time is defined by network admin. You can stablish How long the certificate will be valid. For security reason, the life IS not recommended to be too long. Usually one year.

 

Hello @Flavio Miranda ,

Yes, we should consider the cert period as well.