Dual Factor Authentication for Anyconnect VPN through ASA-AAA(ISE)
We need to achieve a scenario where remote users connecting via anyconnect SSL through corporate assets(laptop) could able to authenticate using AD credentials.
Corporate laptop has been issued machine certificate. In tunnel group (connection profile) , I could see that we can have cert ,aaa or Both authentication. If we configure as a 'Both'. How we can achieve following
1. Strip CN from certificate and send it to AAA (ISE) for further authentication.
I could see that in Advanced option of connection profile we can send to AAA server for further validation but how can we prevent from not prompting user for password as it does not make sense prompt for pop-up against machine name.
2. We will have secondary authentication which prompt user to enter their AD credential but that is not an issue.
If above scenario is not possible then for remote access user, is there any way we can achieve machine authentication(certificate) and user authentication(AD credential) through ASA -AAA(ISE) ?
Not sure I understood correct. You would like to authenticate the user using machine certificate for anyconnect and want to extract CN attribute the client's certificate and send it to the ISE server for further authenticate with AD. And also you don't want an additional password prompt to be produced to the user.
If my understanding is correct. Then user would get a prompt for the password atleast because in the machine certificate there won't be password, but to authenticate with RADIUS/TACACS , we need both username and password. So how will the user gets authenticated without password.
If you are looking a way to just see if the user is present under AD, not exactly and authentication then this might not be possible.
We want the user to be prompted for password but only for the username. However at the same time we also need to validate whether their laptop belongs to the domain computers by stripping the domain-name from CN field of the certificate and checking it against the domain computers in AD.
While authenticating laptops for domain-name we do not want a password to be prompted for authenticating the certificate field.
Is this possible to achieve this using secondary authentication in ASA ?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :