Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Cisco Employee

Dual Factor Authentication for Anyconnect VPN through ASA-AAA(ISE)

We need to achieve a scenario where remote users connecting via anyconnect SSL through corporate assets(laptop) could able to authenticate using AD credentials.

Corporate laptop has been issued machine certificate. In tunnel group (connection profile) , I could see that we can have cert ,aaa or Both authentication.  If we configure as a  'Both'. How we can achieve following

1. Strip CN from certificate and send it to AAA (ISE) for further authentication.

I could see that in Advanced option of connection profile we can send to AAA server for further validation but how can we prevent from not prompting user for password as it does not make sense prompt for pop-up against machine name.

2. We will  have secondary authentication which prompt user to enter their AD credential but that is not an issue.

If above scenario is not possible then for remote access user, is there any way we can achieve machine authentication(certificate) and user authentication(AD  credential) through ASA -AAA(ISE)  ?

Everyone's tags (6)
New Member

Hi Umahar, Not sure I

Hi Umahar,


Not sure I understood correct. You would like to authenticate the user using machine certificate for anyconnect and want to extract CN attribute the client's certificate and send it to the ISE server for further authenticate with AD. And also you don't want an additional password prompt to be produced to the user.


If my understanding is correct. Then user would get a prompt for the password atleast because in the machine certificate there won't be password, but to authenticate with RADIUS/TACACS , we need both username and password. So how will the user gets authenticated without password.

If you are looking a way to just see if the user is present under AD, not exactly and authentication then this might not be possible.





Cisco Employee

Hi Altaf,We want the user to

Hi Altaf,

We want the user to be prompted for password but only for the username. However at the same time we also need to validate whether their laptop belongs to the domain computers by stripping the domain-name from CN field of the certificate and checking it against the domain computers in AD.

While authenticating  laptops for domain-name we do not want a password to be prompted for authenticating the certificate field.

Is this possible to achieve this using secondary authentication in ASA ?

We are also open for any other suggestions

New Member

Hi, Please use the option



Please use the option "both" under connection profile(if you are making the configuration using ASDM). Currently you are using secondary authentication which is not required.





CreatePlease login to create content