topic Re: VPN identification and authentication before establishing a connection in Network Access Control

VPN identification and authentication before establishing a connection

joseph.williams@atos.net — Wed, 24 Jul 2019 20:13:55 GMT

Have a customer who needs to follow IRS regulations. He needs to have verification of VPN clients BEFORE a connection is established. It looks like this might be possible on ISE.

What would be the easiest way? whitelist, MAC filtering, ???

How would I do it.

Thanks

Joe

Re: VPN identification and authentication before establishing a connection

Rob Ingram — Wed, 24 Jul 2019 22:15:51 GMT

Hi,

What hardware are you/your customer using? I don't believe it's possible on ASA but it certainly is on IOS routers.

The router can send it's credentials to the RADIUS server, which checks to confirm if valid and if sucessful establish a VPN tunnel. If using FlexVPN as part of authorization you can also dynamically assign QoS Policies, ZBFW membership, VRF etc per tunnel.

More information here and example configuration:-

http://www.ciscopress.com/articles/article.asp?p=1684781&seqNum=3

FlexVPN example

HTH

Re: VPN identification and authentication before establishing a connection

joseph.williams@atos.net — Wed, 24 Jul 2019 22:58:55 GMT

I am using a cisco 5508-x for my VPN. connecting with cisco anyconnect and authorizing under cisco ISE2.4

Re: VPN identification and authentication before establishing a connection

joseph.williams@atos.net — Wed, 24 Jul 2019 23:00:46 GMT

And these are customers coming into the network, not hubs, switches or routers.

Re: VPN identification and authentication before establishing a connection

Muhammad Awais Khan — Thu, 25 Jul 2019 00:39:54 GMT

HI,

My understanding for your question is to allow only specified VPN client devices ( pcs, tablets ) to the network when they connected via VPN. And it seems you are already using ISE which is then integrated with AD for the authentication.

There are multiple ways to do it depend on the scenario you want to use.

1) You can use machine cert + user authentication if you have internal PKI server. By this way only clients having valid pki certificate installed will be able to connect

2) You can create whitelist of MAC in AD. For this you need to use ACIDEX attribute. You need to pre-populate the MAC in AD and then can use Auth policy to match it. I saw a good example mentioned in below post for this method.

https://community.cisco.com/t5/identity-services-engine-ise/dynamic-attributes-mac-address-with-ise-and-vpn/td-p/3728301

Re: VPN identification and authentication before establishing a connection

joseph.williams@atos.net — Thu, 25 Jul 2019 17:38:01 GMT

Nope. Will not work. We do not use AD. These are customers and they do not have AD accounts and I cannot give them one.

Certs? Nope don't have a pki server.

Re: VPN identification and authentication before establishing a connection

Muhammad Awais Khan — Thu, 25 Jul 2019 23:26:25 GMT

Hi,

In that case, you can make a group in ISE with static MAC addresses. This should work. You can also create local accounts in the ISE which I believe you already created. So you can use combination of local account + mac or any of either.

Re: VPN identification and authentication before establishing a connection

hslai — Sat, 27 Jul 2019 23:19:00 GMT

Besides Mohammad's, you might be able to use Endpoint Attribute Selection Criteria in a DAP. Please note DAP might have some limitations.

Re: VPN identification and authentication before establishing a connection

david.haughn — Mon, 29 Jul 2019 19:05:12 GMT

Is there any way to accomplish this using only NAC settings or ASA CSD HostScan values? Or are the AAA attributes returned from ISE before any authentication occurs, or does it only happen after a successful authentication?

I think i'm trying to satisfy the exact same audit finding that Joseph is, and it explicitly says "...restrict access...before authentication occurs...", which according to the "Remote access sequence" in this document means the ASA has to allow/deny the anyconnect client using NAC or HostScan before the AAA sequence starts authentication.

Re: VPN identification and authentication before establishing a connection

david.haughn — Mon, 29 Jul 2019 19:07:18 GMT

Or for example is there a way to use eap-chaining where the computer authentication happens first, and if it fails, it doesn't continue with the user authentication?

Re: VPN identification and authentication before establishing a connection

david.haughn — Mon, 29 Jul 2019 19:12:00 GMT

In order to get the ACIDex attributes from AD, you have to successfully authenticate the user first, correct? What if you need to identify and deny/allow the machine before any authentication occurs? I'm trying to satisfy some very specific (and frankly unreasonable) requirements from the IRS as well.

Re: VPN identification and authentication before establishing a connection

paul — Tue, 30 Jul 2019 02:36:31 GMT

Certs is really the way to go. Setting up a PKI is not that difficult, but not sure how many devices would would need to get certs out to.

Re: VPN identification and authentication before establishing a connection

joseph.williams@atos.net — Fri, 02 Aug 2019 19:48:38 GMT

Nope, customers do not want a cert solution

Re: VPN identification and authentication before establishing a connection

paul — Fri, 02 Aug 2019 20:37:59 GMT

Well part of our job as consultants is to educate the customer on what the right solution is. I "guide" many customers away from their crazy ideas to the correct solution.

But I guess if they won't listen to the right solution, best of luck piecing one together.