Cisco Support Community
Cisco Employee

2 Factor Authentication for Anyconnect VPN using ISE

We are planning to implement dual factor authentication for Anyconnect VPN.
The end users will be authenticated using domain name in machine certificates and username password with
ISE used as radius server.

We have the following approaches to achieve this :-

1. Use primary and secondary authentication with user credentials as primary authentication
and CN field of the certificate as secondary authentication.However this option prompts users for password for
both the fields while we want the machine certificate to authenticate itself without a password.

2. Second approach is to authenticate using user credentials and authorize the user to access the network if
the machine certificate has a domain name in CN field which we are able to validate from the AD using
Dynamic Access Policy.

We are looking forward for discussions on the above approaches and are open to any other


CreatePlease to create content