I understand people are using their internal PKI for authentication on wired and wireless networks, but it now has me thinking about VPN authentication.
If the internal PKI has been setup for both machine and user certificates already, can we use that as part of the authentication for VPN? Is this a recomended solution? Ideally we would like to set this up with a OTP server as well, with ISE configured on the backend.
What needs to happen with certificate revocation for VPN connection?
You are on the right track. Client certificates plus OTP authentication methods is one of the most secure ways to setup remote access VPN on the ASA.
For revocation, the ASA will generally check the CRLs on the issuing CA. (or in rare cases use OCSP)
For your second post, you use connection-profiles (i.e. pre-login selection) to configure the different authentication methods for your two (or more) use cases.
You might want to invest in the certifcation guide for the CCNP VPN exam:
CCNP Security VPN 642-648 Official Cert Guide (2nd Edition)
Even though that exam is being retired next month, it has a wealth of information that complements the configuration guides with a more comprehensive explanation of just the type of questions you are asking.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...