Monday, February 24, 2020

Cisco ASA AnyConnect VPN w/ AAA Certificate Authentication

Hello all, I have a general question that I can't seem to find the answer to even when dealing with Cisco TAC.

I have an ASA configured for AnyConnect VPN and the connection profile is set up for AAA as the authentication method to a Cisco ISE server. I match on PAP ASCII AuthC rule in ISE from my internal users. This works fine.

However, when I switch to certificate as the authentication method and specify ISE as the AAA server group on my ASA, I never see any radius logs during the connection and the client fails to connect. I've issued certs to my client. So, my question is can an ASA act as an EAP-Pasthrough for certificate authentication? Where the ASA would be simply forward the RADIUS authentication packets and certificate to ISE in the same way a WLC would for EAP-TLS?



No comments:

Post a Comment