topic Re: auto remediation (certs) with APEX licence and anyconnect agent in Network Access Control

auto remediation (certs) with APEX licence and anyconnect agent

vark00001 — Sun, 24 Jun 2018 06:06:29 GMT

Hi All,

I have been thrown a question prior to ISE deployment in our organization. Soon we will have dot1x on every port of all user and things facing switches and authentication will be via ISE infrastructure.

Now among other things corporate desktops and laptops will be authenticated using PKI framework based machine certificates , wherein ISE will forward the query to corporate CA server for verification .

Now the requirement is , for the corporate machine which has , lets say , missing or expired or corrupted certificates , by default they wont be authenticated and perhaps provided a internet only VLAN, but since those belong to actual corporate users we like to auto-remidiate the situation without having to remove the dot1x and installing certificates or may be even sending someone to put in certificates manually or taking them to staging areas.

Can apex licence in conjugation with any connect client help there ? As i saw there was remediation scenario documentation for things like patches , anti virus etc , but nothing specfic to auto remediation of certificates .

Is that possible ? if yes, how ?

Varun

Re: auto remediation (certs) with APEX licence and anyconnect agent

howon — Mon, 25 Jun 2018 17:21:18 GMT

Few things to consider for expired certificate:

- In general corporate PKI (Especially if using MS CA), you can configure the CA server to issue certificates when the expiry date is near. This can be configured from MS CA console and is recommended. As long as the users are connecting the PC often enough before expiry, the machine should always have valid certificate

- Now, if you still want to address expired certificate consider following options:

1. If you want to allow expired certificates to authenticate then you can modify the 'Allowed protocols' for EAP-TLS to allow expired certificates. However, instead of providing full access, you can limit access to web portal where the user is instructed to take action to renew certificate.

2. It is generally not recommended to allow expired certificates to be authenticated due to security reasons. Better option is to use 'CERTIFICATE:DAYSTOEXPIRY' authorization condition to trigger user action when the certificate is near expiry.

3. You can simply deny access for expired certificate and redirect user to login via web portal using username and password

For above options, you don't need any Apex license as you are only leveraging basic RADIUS authentication.

Hosuk

Re: auto remediation (certs) with APEX licence and anyconnect agent

vark00001 — Tue, 26 Jun 2018 12:21:58 GMT

Thanks Hosuk,

The suggestions here do answer questions for expired certificate , but what can be a good suggestion for machines with no certificates. Imagine we have ordered 10 new machines and those get the image and other software's from a local SCCM server .

Today this is not a problem , since there is no dot1x on ports , so a new machine does a DHCP , get their SCCM server IP , get image and along with that a certificate is issued by scripts.

If in future after we establish ISE infrastructure with dot1x on all ports and we are trying to set up these 10 machines , they will not have anything to supply for EAPoL. What will we do in those case, some options are :-

-> remove dot1x temprorily , let them image and get certificates and then apply back DOT1X ( Very manual and prone to ports being left non-dot1x )

--> Stage the machines at designated location with no dot1x and then connect to LAN ( This will add logistics cost )

--> May be authenticate via MAB and then let it get imaged with access to SCCM's only and then do a COA for full access.

What to other companies do to handle such situations ?

Varun

Re: auto remediation (certs) with APEX licence and anyconnect agent

Jason Kunst — Tue, 26 Jun 2018 12:27:02 GMT

Would recommend last 2 options. Likely others from partners will chime in like berbee arne.bier

Re: auto remediation (certs) with APEX licence and anyconnect agent

vark00001 — Tue, 26 Jun 2018 16:52:20 GMT

Thanks Jason !!

would really appreciate real life experiences with this scenario.how are new machines handled generally.

certainly we are not the only organization with the dilemma.i am sure lot of companies order machines in their office and then

use SCCM for imaging. If the ports are dot1xed , then it will be like a chicken and egg problem.

Re: auto remediation (certs) with APEX licence and anyconnect agent

vark00001 — Thu, 28 Jun 2018 03:11:14 GMT

Hi Jason ,

Did you manage to find any feedback on this ?

Re: auto remediation (certs) with APEX licence and anyconnect agent

Jason Kunst — Thu, 28 Jun 2018 17:49:38 GMT

The people I copied were partners that might have shared their feedback. That’s all we have.

Re: auto remediation (certs) with APEX licence and anyconnect agent

vark00001 — Thu, 05 Jul 2018 03:14:06 GMT

Hi Jason ,

I actually found interesting line from Aaron woland in his famous book and its version 2 at page 271 , at least for expired certs , there seems to be an inbuilt feature

I am still trying to brainstorm what to do with brand new machines.

Varun

Re: auto remediation (certs) with APEX licence and anyconnect agent

hslai — Thu, 05 Jul 2018 04:29:39 GMT

Not all client OS's would present an expired certificate for EAP-TLS. For example, Windows clients do not.

Re: auto remediation (certs) with APEX licence and anyconnect agent

vark00001 — Fri, 06 Jul 2018 02:36:41 GMT

Ok ,

The case with new machines will be that they will not hand out any certificates even though the profiling will figure out based on DHCP , or other profiler's that at least the hardware is of corporate type . like HP model xx-yy.

So i am thinking of policy that say "match hardware type -corporate" and if they dont have certificates , give them access to only AD and SCCM servers and let them get a certificate and then do a COA.

Any thaught on if that can work ?

Varun

Re: auto remediation (certs) with APEX licence and anyconnect agent

vark00001 — Sun, 08 Jul 2018 14:42:27 GMT

Hello HSLAI ,

Any comments if this idea can work ?

Varun

Re: auto remediation (certs) with APEX licence and anyconnect agent

hslai — Sun, 08 Jul 2018 17:48:21 GMT

Sure, if the AD is also serving as DNS and DHCP, as well as the CA services.

Re: auto remediation (certs) with APEX licence and anyconnect agent

vark00001 — Mon, 09 Jul 2018 03:38:17 GMT

Nops , DNS and DHCP are based on completely different product - infoblocks . Though AD has the CA services running.

Varun

Re: auto remediation (certs) with APEX licence and anyconnect agent

hslai — Mon, 09 Jul 2018 12:33:36 GMT

Then, DNS and DHCP need allowed, as well. Or, at least DNS, if the endpoints are using static IP.