Anyconnect clients establish VPN tunnels to an ASA and are authenticated using an OTP server and AD (primary and secondary configuration under the connection profile). For AD, the ASA sends the authentication request to ISE which is integrated with AD. Clients are associated to different group-policies depending on which AD group they belong to.
We would like to add machine authentication to this, is is possible to additionally check that the client machine is also present and active in AD?
Show Name: Thoughts on Security at Cisco Live US 2018 in Orlando
Contributors: Kevin Klous, David White Jr., Aaron Woland, Jeff Fanelli
Posting Date: June 2018
Description: The team goes on-site in the Cisco Live Speaker room in...
RADIUS and Symantec VIP.
I will use screenshots of ASDM, and at the end I will add the required CLI commands. the diagram below show a diagram of the steps the FW goes through when using 2FA authentication:
As you can see in Fig. 1&nbs...