topic Re: VPN certificate auth using ISE? in Network Access Control

VPN certificate auth using ISE?

dazza_johnson — Wed, 10 May 2017 00:26:24 GMT

Hey guys, I'm sure I read about this but my Google-fu is letting me down....

Basically, trying to authenticate VPN users using machine certificates (Cisco ASA VPN termination point) using ISE. That way we limit VPN access to machines on the domain. The idea is similar to machine authentication using EAP-TLS, but over VPN.

I know you can't do EAP-TLS over VPN, but how is this achieved with ISE?

Thanks

Darren

Re: VPN certificate auth using ISE?

Craig Hyps — Wed, 10 May 2017 18:20:34 GMT

Typical VPN connection will terminate certificate auth at ASA, not ISE. In other words, ISE cannot authenticate the VPN users via certificate as it is never presented with a RADIUS auth request based on cert.

You could use secondary auth to verify identity based on extracted cert info, or straight user auth.

For cert only auth, you could use ISE for authorization only. You can lock down via tunnel group and then match RADIUS requests based on extended ASA VPN attributes (VPN-3000 disctionary...VSA ID: 3076/146). This would indicate user validated using machine cert.

Craig

Re: VPN certificate auth using ISE?

hslai — Wed, 10 May 2017 19:28:41 GMT

Adding to Craig, it's possible to perform EAP auth if using IKEv2 as the RA VPN protocol. See

Re: VPN certificate auth using ISE?

dazza_johnson — Wed, 10 May 2017 23:28:52 GMT

Can you provide a reference to this solution:

"You can lock down via tunnel group and then match RADIUS requests based on extended ASA VPN attributes (VPN-3000 disctionary...VSA ID: 3076/146). This would indicate user validated using machine cert."

I couldn't find anything.

Thanks

Re: VPN certificate auth using ISE?

Craig Hyps — Thu, 11 May 2017 01:46:54 GMT

The VPN Group config is probably more of an ASA question, but essentially you can dictate which auth methods apply to which tunnel group (Connection Profile). To authenticate to TG "Employee", for example, you can set the authentication to cert auth. Employees would select TG via drop down, or crafted URL that matches TG.

The attribute I previously mentioned would be matched in Authorization condition to grant Employee access:

Example below shows how to match on specific NDG based on VPN devices, or NAS-Port-Type. It also shows use of the RADIUS Attribute to match on TG name.

/Craig

Re: VPN certificate auth using ISE?

paul — Thu, 11 May 2017 14:24:52 GMT

Darren,

There are a few caveats you will run into when setting this up if this is your first time doing this. My standard VPN now for customers is this:

Tunnel Group- Employee

Group URL- www.mycompany.com/employee
Authentication- Cert + AAA
Client Profile- Mach Cert + Cert store override + Nice Name for Group URL (Employee VPN), automatic software updates, backup server config if needed

Tunnel Group- Vendor

Group URL- www.mycompany.com/vendor
Authentication- Cert + AAA
Client Profile- Nice Name for Group URL (Vendor VPN), no software updates, backup server config if needed

In ISE, I setup a Policy set for Employee VPN and one for Vendor VPN keying off the tunnel group name as Craig stated above. I usually don't use the other conditions as no other device is going to be setting that Tunnel Group parameter.

The trick here is you HAVE to download the employee client profile (XML) file and distribute that out to your employees ahead of time, i.e. use SCCM to push the file to the AnyConnect profiles directory. The reason for this is the AnyConnect client on its own cannot look into the computer cert store. It needs to be told to look there by the XML file.

So we usually push the file out, have users test with it then send a communication out to employees to have them start using "Employee VPN" in their drop down. Then after a while we monitor who is still using the old tunnel group and contact them directly eventually shutting off the legacy tunnel group.

Re: VPN certificate auth using ISE?

Craig Hyps — Thu, 11 May 2017 15:44:31 GMT

Using additional conditions like NDG will allow control over where policy is applied in case want to roll out and test to select VPN gateways.

Re: VPN certificate auth using ISE?

Christopher Liesfield — Thu, 31 Jan 2019 06:26:03 GMT

Hi Craig. It's been a while since your last post, however I'm hoping you can help us.

We have a scenario where we'd like to authenticate end user devices using machine based certificates. This is working fine on the ASA side - end user devices with valid certificates signed by our CA are authenticating without an issue - however we'd like to use ISE for authorisation, in particular for the dACLs.

We're finding it difficult to use a policy set (ISE v2.4) for this purpose, as the username is sent as "INVALID" when the ASA sends the AAA request to ISE - ie; authentication fails (probably due to certificate authentication being used instead of CHAP) - even though the authentication rule within the policy set is configured to "continue" if the username is not found - ie; we're using the authentication rule to match against the tunnel group to identify the correct dACL. Is there a trick we can use to "fool" ISE into accepting the authentication and then processing the authorisation? Given the end user device has been authenticated using machine based certificates, I'd say it is still a relatively secure approach.

Thanks in advance.

Chris.

Re: VPN certificate auth using ISE?

Peter Koltl — Mon, 25 Mar 2019 17:15:55 GMT

Christopher,

You should define an AAA server group in ASA and set the Connection Profile/Tunnel Group to use it for authorization only. AuthC is performed by ASA, ISE is not involved. Then an AuthZ request is sent to ISE, no AuthC is performed in this RADIUS session. This is implemented by Authorize-Only RADIUS request.

aaa-server ISERAD-authz protocol radius
authorize-only
tunnel-group EMP type remote-access
tunnel-group EMP general-attributes
authorization-server-group ISERAD-authz
authorization-required
username-from-certificate UPN
tunnel-group EMP webvpn-attributes
authentication certificate

The Username attribute will be contained in the RADIUS request and it should be the machine name. You should check and set in ASA which certificate field is suitable for computer name lookup in AD. I guess UPN or CN. It can be used by AD group membership conditions in ISE policy.

Re: VPN certificate auth using ISE?

mikiNet — Fri, 20 Sep 2019 07:56:59 GMT

Dear Peter,

But how about authentication configuration on ISE side ? If we still configure authentication with option "If username not found" -> Continue ?

To summarize: I need only authorization from ISE, because ASA authenticate my client based on certificate.

Question is: What I must configure in section about authentication in ISE 2.4 ?

Re: VPN certificate auth using ISE?

Peter Koltl — Thu, 26 Sep 2019 07:34:54 GMT

The Authentication Policy does not really matter in this case actually as the RADIUS request contains Authorize-only attribute. Our AuthC policy contains a single line:

Default -----> AD

Auth Fail: REJECT

User not Found: REJECT

Process fail: DROP

No CONTINUE is needed.

If you have authentication failure logs the RADIUS request may not be az AuthZ-only request.

Re: VPN certificate auth using ISE?

russ.carter — Mon, 06 Apr 2020 14:08:29 GMT

Hi Peter,

I am trying to get this working using AnyConnect, FTD and ISE 2.4.

When the username is sent to ISE for authorization, using the machine name attribute from the certificate, ISE is not matching my authz profile because it can't find the "user". It appears it is trying to look up a user rather than machine, which is failing. See output below. Any ideas if I can resolve this?

The same ISE is successfully authenticating and authorising machines based on machine certificates using 802.1x for wireless.

Steps

	11001	Received RADIUS Access-Request
	11017	RADIUS created a new session
	15049	Evaluating Policy Group
	15008	Evaluating Service Selection Policy
	15048	Queried PIP - DEVICE.Location
	15048	Queried PIP - DEVICE.Device Type
	15048	Queried PIP - Radius.NAS-Port-Type
	24715	ISE has not confirmed locally previous successful machine authentication for user in Active Directory
	15036	Evaluating Authorization Policy
	24432	Looking up user in Active Directory - TEST_AD
	24325	Resolving identity - MACHINE.test.local
	24313	Search for matching accounts at join point - test.local
	24359	Incoming identity was not rewritten - MACHINE.test.local
	24318	No matching account found in forest - test.local
	24322	Identity resolution detected no matching account
	24352	Identity resolution failed - ERROR_NO_SUCH_USER
	24412	User not found in Active Directory - TEST_AD
	15048	Queried PIP - test.ExternalGroups (2 times)
	15016	Selected Authorization Profile - DenyAccess
	15039	Rejected per authorization profile
	11003	Returned RADIUS Access-Reject

Thanks

Russ

Re: VPN certificate auth using ISE?

Peter Koltl — Sat, 18 Apr 2020 17:40:52 GMT

It should work if the certificate subject contains the Distinguished Name of the computer, e. g.

CN=machine,OU=Computers,DC=test,DC=local

instead of machine.test.local

Re: VPN certificate auth using ISE?

Peter Koltl — Mon, 30 Nov 2020 13:30:17 GMT

I had problems with FQDN and hostname too:

Then a rewrite rule helped:

CSCvu42244 bug might be relevant too.

Re: VPN certificate auth using ISE?

metafore — Fri, 21 Apr 2023 22:50:55 GMT

Hello Gentleman,

I have the same task.. In our current environmant we have Cisco ASA anyconnect VPN. User gets authenticated via Username and RSA secure ID token. We have anyconnect VPN client in our environment and that will be continue to be used. We now have requirement to enable Username+Password authentication via Cisco ISE along with RSA secure ID token, as well if user machine is having machine certificate then only it is allowed to authorize to connect to VPN. Can anyone help me and provide me step by step instructions. Any help would be much appreciated. Thanks in Advance.

Re: VPN certificate auth using ISE?

Peter Koltl — Mon, 05 Jun 2023 12:42:54 GMT

It is a complex task.

Cisco Secure Client will not use Machine certificate unless you create a client profile allowing machine certificates and place that XML on the client before connecting to ASA.

You need certificate+AAA combined authentication:

In RSA-RADIUS AAA group you should define RSA server which checks both AD-username/AD-password and the token code.

If you need Cisco ISE control (like AD group check), add ISE as an authorization server to the Connection Profile (it must be defined as Authorize-only so that ISE does not check password):

I hope that helps.

Re: VPN certificate auth using ISE?

metafore — Wed, 14 Jun 2023 00:20:00 GMT

Thanks @Peter Koltl . I applied AAA+Certificate auth along with secondary authentication method selected to RSA server which basically only checks for token code along with no secondary username configured. ISE as primary AAA username and password integrated with AD, with authorization profile matching to radius class attributes 25 (ASA group policy name).I installed public certificate with cn defined as fqdn of VPN name user access to ( bind to public interface IP of ASA). I had to enable auto cert and no user controllable in preference part 2 of xml client profile to avoid certificate pop up when user tries to connect to profile and push it ahead of a time on user machine to make it work. Thanks anyways its all sorted out....Thanks again for the help.

Re: VPN certificate auth using ISE?

Peter Koltl — Wed, 14 Jun 2023 07:04:34 GMT

Thanks @metafore for the feedback, best possible news!