In this session we will be setting up remote access VPN using Certificate as an authentication mechanism but for Authorisation we will use Cisco ISE as a Radius Server.
2. Introduction
• In this session we will configure Remote Access VPN on cisco ASA with authentication using
Certificate but Authorization using ISE via Active Directory.
• Certificate based authentication in conjunction with Anyconnect VPN, the certificate
authentication process terminates on the ASA. Since the ASA terminates the authentication
process without passing the certificate to ISE, So when the request comes to ISE it tries to process
a full authentication. There is no password in the TCP packet, thus authentication fails.
• Thus, we need to bypass Authentication on the ISE for such communication.
Certificate
Authentication
Locally on ASA
Active Directory
Authorization on
cisco ISE
13. Part 1: Step 1 of 2 -Setup ASA for Authorization
• Following extra configuration must be added into ASA
!
ciscoasa(config)# sh running-config aaa-server
aaa-server ISE protocol radius
interim-accounting-update
aaa-server ISE (management) host 192.168.111.6
key *****
!
14. Part 1: Step 2 of 2 -Setup ASA for Authorization
!
tunnel-group vpn.w365.vpnet.com type remote-access
tunnel-group vpn.w365.vpnet.com general-attributes
authorization-server-group ISE
authorization-required
tunnel-group vpn.w365.vpnet.com webvpn-attributes
authentication certificate
group-alias vpn.w365.vpnet.com enable
!