Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

User VPN through ASA and ISE using smartcards w/multiple user certificates

Hi guys.


Not sure if this is possible, or if I'm way off track here, but I'll give it a shot here on the forums.


We're trying to accomplish two-factor authentication using predeployed user certificates on smartcards. The plan is to use the ASA for certificate validitation and VPN anchor, and the ISE for authorization - that is, supply ACLs to the ASA and/or by other means restrict user access to the network.

Here's the catch: the smartcards come in different flavours:

 1) for regular users - containing a certificate issued by the corporate PKI

 2) for elevated users - containing both a corporate AND two qualified certificates issued by a globally trusted CA


For the elevated users the goal is to perform the authentication using one of the qualified certificates, and then pass contents from the corporate certificate to the ISE for authorization purposes. 

So why not just use the qualified certificate ?  Well, the structure of the qualified certificate does not contain a unique identifier that can be tied directly to the user's corporate ID - it rather just contains a Subject CN of plain old human readable [first + middle + last name].

CreatePlease login to create content