topic Thank you all! in Network Access Control

Machine authorization when connecting via VPN

Jernej Vodopivec — Mon, 11 Mar 2019 07:17:18 GMT

Hi,

is it possible to create authorization policy on ISE that uses information from machine certificate installed on client laptops?

Users are using anyconnect 4.3. They are authenticated on ASA using user certificates.

Thank you!

Hi,

Gagandeep Singh — Fri, 09 Dec 2016 16:29:45 GMT

Hi,

You can use NAM module on top of AC secure mobility client for machine and user cert using EAP chaining on ISE.

http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_80_eapchaining_deployment.pdf

Regards

Gagan

PS : rate if it helps!!!!

Hello Jernej-

nspasov — Fri, 09 Dec 2016 19:39:53 GMT

Hello Jernej-

I don't think this is possible. The certificate based authentication for VPN access is done locally on the ASA and not through ISE. At the moment there isn't an EAP based AnyConnect VPN that is supported by ISE. As a result, the certificate authentication and attributes checking is done on the ASA directly. You can still get the 2nd factor (for instance user authentication) against ISE but that is not done via EAP but PAP-ASCII.

I hope this helps!

Thank you for rating helpful posts!

Thank you both for your

Jernej Vodopivec — Sat, 10 Dec 2016 10:36:50 GMT

Thank you both for your answers.

Gagan, I've already checked this document about EAP chaining. But the document is about EAP chaining for 802.1x (wired & wireless) and there is no hint for VPN connections. And as Neno also said there is only PAP supported for VPN connections AFAIK.

Is there any other way to use NAM module for VPN connections?

Not at the moment. I am by no

nspasov — Sun, 11 Dec 2016 05:34:59 GMT

Not at the moment. I am by no means an expert on the topic but I had some discussions with TAC and here is my understanding. EAP is a Layer 2 protocol while the remote user communicates to the ASA via layer 3. Thus, with IKEv1 this is not possible. It appears that IKEv2 utilizes EAP so I am guessing there is some encapsulation that happens behind the scenes. However, the EAP-AnyConnect protocol is not supported by ISE/ACS.

Here is the exact reply that I got from TAC a while back and from the looks of it nothing has changed with regards to ISE supporting EAP-AnyConnect or AnyConnect supporting EAP 🙂

The current ASA implementation utilizes the core IKEv2 protocol but it requires the addition of many extensions including a proprietary EAP authentication method, AnyConnect EAP, which is the only authentication method supported. The AnyConnect EAP method serves as a conduit in IKEv2 to carry the new Aggregate Authentication protocol that has been developed for remote-access which streamlines and preserves all of the existing functionality for authenticating the client. This new Aggregate Authentication protocol will be used for both IKEv2 and SSL AnyConnect connections for the new client.

IKEv2 remote-access support is limited to the Cisco AnyConnect client since it uses a proprietary EAP authentication method and therefore, no 3rd party IKEv2 are supported.

Cisco ISE and Cisco ACS do not support EAP-Anyconnect.
Oddly, the IOS implementation of IKEv2 appears to support EAP-GTC, EAP-MD5, EAP-MSCHAPv2 and NOTEAP-Anyconnect.

Now, keep in mind that this is only for the authentication part. You can still configure the authorization to go to ISE, thus, any attributes that you are able to collect during the AAA process you should be able to use with an authorization rule in ISE.

Thank you for rating helpful posts!

Thank you all!

Jernej Vodopivec — Tue, 13 Dec 2016 09:49:13 GMT

Thank you all!

Even if the certificate

Peter Koltl — Tue, 13 Dec 2016 09:51:05 GMT

Even if the certificate authentication occurs on the ASA the authorization part can be assigned to ISE:

tunnel-group AC-ISE-cert general-attributes
 authorization-server-group ISE-RAD

AnyConnect can pick up a user certificate or a machine certificate.

In addition, you have to set

Peter Koltl — Sun, 15 Jan 2017 19:37:11 GMT

In addition, you have to set this RADIUS server group to authorize-only on ASA.

Re: In addition, you have to set

dazza_johnson — Mon, 18 Dec 2017 11:53:48 GMT

Hi there, so you can basically let the ASA "trust" the certificate (signed by a trusted CA) and then authorise the device/user on ISE by (I assume) extracting the CN and verifying it. As an example, the CN is deviceXYZ so the ASA can strip off deviceXYZ and authorise it via ISE which in turn verifies it exists in AD. Is that correct?

Re: In addition, you have to set

MARK BAKER — Tue, 05 Mar 2019 19:58:04 GMT

Thank you for this info. It was the missing piece for getting this to work. I saw many statements to use ISE for authorization only, but this is the first I have seen on how to configure it. I was trying to set authorization only on ISE itself before finding this.

FYI... I used this with SAML authentication to Azure instead of certificate, but it worked the same. I was able to use ISE with AD backend to assign group-policy based on user AD group assignment.