For AnyConnect, I'm currently using EAP-TLS authentication with machine certificates for clients at the FTD, then passing user credentials through to ISE for a second factor. If someone's machine cert expires (like they were off-net for quite awhile), I don't currently have a way to get a new valid machine certificate onto the machine without them coming on-prem and plugging into an auth-opened port.
Assuming someone else uses EAP-TLS like this - what do you do (if anything) to work around this? I can see at some point an executive will have a laptop they need to use "right now" but haven't used it in ages and it has an expired client cert so it fails AC auth. Coming on-prem isn't an option, so how do I get a valid certificate on that machine?
No comments:
Post a Comment