https://community.cisco.com/t5/network-access-control/vpn-and-ise-profiling/m-p/3701220#M494032 <P>Is there any way around certificates?</P> Wed, 05 Sep 2018 14:22:15 GMT Alex Pfeil 2018-09-05T14:22:15Z https://community.cisco.com/t5/network-access-control/vpn-and-ise-profiling/m-p/3701213#M494030 <P>We have requirement to allow users to VPN into our network on work equipment only (no BYOD).&nbsp;Do we have to use posture in order to meet this requirement?</P> Wed, 05 Sep 2018 14:13:52 GMT https://community.cisco.com/t5/network-access-control/vpn-and-ise-profiling/m-p/3701213#M494030 Alex Pfeil 2018-09-05T14:13:52Z https://community.cisco.com/t5/network-access-control/vpn-and-ise-profiling/m-p/3701217#M494031 <P>You could do posture, but that would be overkill to simply answer the question "Is this device a corporate asset?"</P> <P>&nbsp;</P> <P>Configure your VPN head-end to do certificate authentication then send the authentication over to ISE to do User/MFA authentication.&nbsp; This assumes you have certificates pushed to your corporate devices.&nbsp; I usually setup two group URLs for my customers:</P> <P>&nbsp;</P> <P><A href="https://vpn.mycompany.com/vendor" target="_blank">https://vpn.mycompany.com/vendor</A></P> <P><A href="https://vpn.mycompany.com/employee" target="_blank">https://vpn.mycompany.com/employee</A></P> <P>&nbsp;</P> <P>The vendor group URL does User/MFA auth only, no certificate, but DACLs are applied to limit access to the network based on what the vendors need.</P> <P>&nbsp;</P> <P>The employee group URL does certificate + User/MFA auth to ensure connecting devices are corporate devices.</P> Wed, 05 Sep 2018 14:19:17 GMT https://community.cisco.com/t5/network-access-control/vpn-and-ise-profiling/m-p/3701217#M494031 paul 2018-09-05T14:19:17Z https://community.cisco.com/t5/network-access-control/vpn-and-ise-profiling/m-p/3701220#M494032 <P>Is there any way around certificates?</P> Wed, 05 Sep 2018 14:22:15 GMT https://community.cisco.com/t5/network-access-control/vpn-and-ise-profiling/m-p/3701220#M494032 Alex Pfeil 2018-09-05T14:22:15Z https://community.cisco.com/t5/network-access-control/vpn-and-ise-profiling/m-p/3701226#M494033 If the VPN head-end requires certificates to connect the user/device must present a proper certificate from a CA the VPN device trusts to issue certs. The only way to get around this would be extracting the certificate/private key from one device and move it to another. If your certificate templates allow for private key exporting and you are making it easy to do this then the integrity of your CA is gone.<BR /><BR /><BR /><BR /><BR /><BR /><BR /> Wed, 05 Sep 2018 14:25:15 GMT https://community.cisco.com/t5/network-access-control/vpn-and-ise-profiling/m-p/3701226#M494033 paul 2018-09-05T14:25:15Z https://community.cisco.com/t5/network-access-control/vpn-and-ise-profiling/m-p/3701229#M494034 <P>I just meant: is there a way to make sure the device is a corporate device without the certificate?</P> Wed, 05 Sep 2018 14:26:51 GMT https://community.cisco.com/t5/network-access-control/vpn-and-ise-profiling/m-p/3701229#M494034 Alex Pfeil 2018-09-05T14:26:51Z https://community.cisco.com/t5/network-access-control/vpn-and-ise-profiling/m-p/3701236#M494035 Posturing, but that is way more difficult to configure and support than a certificate check. The certificate check is a trivial setup, assuming you have certs already issues to connecting corporate devices.<BR /><BR /><BR /> Wed, 05 Sep 2018 14:30:15 GMT https://community.cisco.com/t5/network-access-control/vpn-and-ise-profiling/m-p/3701236#M494035 paul 2018-09-05T14:30:15Z