topic Re: Identify corporate Macbook for VPN access in Network Access Control

Identify corporate Macbook for VPN access

Qingguo Zhang — Tue, 30 May 2017 13:13:02 GMT

How can we use ISE to ensure that only a company provided MAC Laptop would be allowed to join the network via VPN, and reject non-corporate MACbook?

Customer concerns is the admin rights can allow the certificate to be extracted and used on non-corporate devices.

This is whole end-to-end cisco solution we need to do POC (ISE + anyconncect + ASA).

I would like to propose two solution for customer reference, please let me know if it is feasible or there is any detailed pros/cons.

1) Double cert auth ( cert + smartcard/token) , this will need integration with smartcard/token vendor.
2) Cert auth + Mac address/BIOS serial posture check , based on hostscan it will input Mac address/serial number to ASA/ISE in advance.

Any comments is appreciated.

Re: Identify corporate Macbook for VPN access

paul — Tue, 30 May 2017 14:11:48 GMT

Are they using an MDM like JAMF to manage the Macs? If so, then you could explore an integration between ISE and JAMF to verify the Mac is registered. I am not a JAMF expert but I know this seems to be the defacto MDM many customers use for Mac management. I see ISE referenced in their 9.99 release notes.

http://docs.jamf.com/9.99.0/casper-suite/release-notes/What's_New_in_This_Release.html

Re: Identify corporate Macbook for VPN access

Timothy Abbott — Tue, 30 May 2017 14:48:36 GMT

Like you send, certs can be exported if user is admin. I don't think a smart card would help in this scenario either because CAC / smartcard is usually integrated via USB which could also be ported to a non-company owned asset. The best solution, as Paul brought up, would be the use of an MDM solution.

Regards,

-Tim

Re: Identify corporate Macbook for VPN access

Jimi — Thu, 15 Jun 2017 08:42:52 GMT

Hi Paul,

Thanks for the information, I'm currently in a situation as what Qingguo is encountering and the customer is asking if JAMF is the recommended solution with regards to MDM, would we be able to elaborate to them just what is the policy JAMF is using to identify corporate macbooks without cert and how does Cisco ISE utilizes that to verify if the Mac is registered as a corporate device.

Also, they would like to know if there's any way ISE is able to prevent users from upgrading to the latest MAC OS released by Apple and if not, what is the likelyhood that a MAC OS upgrade might break the ISE agent's compatibility support matrix.

Re: Identify corporate Macbook for VPN access

paul — Thu, 15 Jun 2017 12:52:03 GMT

I am by no means an MAC OS person so I may not be able to answer all the questions here but here is what I know from my experience. JAMF seems to be a very popular management solution for Macs. In their 9.99 release notes they added support for ISE MDM API v2:

http://docs.jamf.com/9.99.0/casper-suite/release-notes/What's_New_in_This_Release.html

I have never done a JAMF to Cisco ISE MDM integration so I am not sure what details you can get from that integration. I am not sure if OS version is a piece of information you get or not. You may be able to get OS version from the posture module, but I haven’t tried it.

The key reason JAMF has been used in my installs is to configure the Macs to present PEAP AD computer credentials as a means to authenticate the Macs. In most cases I do PEAP computer authentication as the means to ensure the attaching device is a managed asset. This is a trivial task on Windows devices. You can configure the Macs to do the exact same thing, but it is not a trivial task. There are methods to do it manually or using Apples OSX server MDM (can’t remember the name), but JAMF makes the process easier.

At the end of the day if you get PEAP computer auth working on the Macs you are treating them identically to the Windows domain joined devices.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

Re: Identify corporate Macbook for VPN access

Jason Kunst — Thu, 15 Jun 2017 13:00:27 GMT

There is no way for ise or posture to block OS upgrades from taking place

Re: Identify corporate Macbook for VPN access

Jimi — Tue, 20 Jun 2017 05:05:15 GMT

Thanks for your responses Paul and Jason!