Client Environment:-
- Cisco ISE v2.3
- Cisco AnyConnect v4.5 client (ISE Posture, NAM and AnyConnect modules)
- Windows 10 PC’s with Machine certs issued by an Internal Sub Certificate Authority
- AnyConnect NAM configured for EAP-TLS Authentication using Machine cert
- Cisco Switches with 802.1x enabled in high Security Mode (Closed Mode)
- Cisco ASA 5585 VPN Appliance
- SSL VPN connection
We currently use AnyConnect Client v4.5 with Cisco ASA for SSL VPN. We have Always-On and Trusted Network Detection (TND) configured on AnyConnect client using Domain DNS name and certificate check (URL). So the Trusted Network Detection disconnects the VPN is it see DNS suffix “MyComapny.com” and it has the right certificate Hash for a defined IP host.
- i.e. htps://x.y.z.v:443 = Hash=fdsajahfjhfkjfajhfjhfk43949324
We have multiple TND https:// entries to provide for resilience, i.e. https://1.1.1.1:443, htps://1.1.1.2:443
The question being if TND certificate hash fails on the first, does it drop down to the next on the list? Or is it a case of it only drops to the next one if the first is unavailable?
Thanks Khalid
