topic Re: Non AD users using Anyconnect and ISE in Network Access Control

Non AD users using Anyconnect and ISE

Asfandyar70754 — Wed, 30 Jun 2021 05:14:18 GMT

Hi guys

We have some third party employees that VPN using Anyconnect on 5525-x asa.

The thing is that they are not part of our AD. We want to deploy ISE in our network and we are looking to authenticate/authorize users using ISE instead of Asa.

Usually non AD users can Anyconnect using any laptop they want, but we are thinking to limit this, we want these non AD users to connect via Anyconnect using only company assigned laptops. Is there some way we can do this, maybe is there any feature in Posturing?

Would really appreciate if you guys can help me out here.

Re: Non AD users using Anyconnect and ISE

Rob Ingram — Wed, 30 Jun 2021 07:21:42 GMT

@Asfandyar70754

Use ISE posture (or ASA Dynamic Access Policies) to check for which AD domain the computer is joined to and the corporate issued AV/AM software or other attributes unique to your domain. If the device does not meet these requirements, they can be denied access.

Re: Non AD users using Anyconnect and ISE

Asfandyar70754 — Wed, 30 Jun 2021 07:32:12 GMT

Hello Rob

Thank you for your reply.

Unfortunately the users(3rd part users/contractors) are not in AD, that is the issue.

Can we install some sort of certificate in their devices to ensure that they use only assigned devices?

Re: Non AD users using Anyconnect and ISE

balaji.bandi — Wed, 30 Jun 2021 09:21:18 GMT

If you like you can also create 3rd party users in AD, with out any otehr resources access (that is what we do).

Re: Non AD users using Anyconnect and ISE

Asfandyar70754 — Wed, 30 Jun 2021 09:32:14 GMT

Hi Balaji,

Is this the only solution?

We have number of new contractors every other month we want to avoid the hassle of making users in AD again and again.

TIA

Re: Non AD users using Anyconnect and ISE

Rob Ingram — Wed, 30 Jun 2021 10:34:36 GMT

@Asfandyar70754

Fine, you can use the ISE Local Identity Store for the user accounts.....but you are issuing them with AD joined corporate laptop, so why not give them an AD user account?

Re: Non AD users using Anyconnect and ISE

balaji.bandi — Wed, 30 Jun 2021 11:23:12 GMT

the user not required any Local access ? you can use Local account that is not best ( as your requirement different with many other 3rd parties.)

or setup different source for these 3rd party in your area for authentication.

Re: Non AD users using Anyconnect and ISE

Marvin Rhoads — Wed, 30 Jun 2021 13:06:50 GMT

You can check both machine and user attributes as part of your authorization condition.

The machine check can be things like presence of a registry key showing the computer is domain-joined or a field in a certificate (for instance the issuing CA) or any number of other checks. Of course the certificate check assumes an enterprise CA is already setup and able to issue certificates to machines.

So the check could be IF machine has key xxx and user is member of ISE local identity group yyy (i.e., NOT AD authentication for the user) then assign an Authorization result that is appropriate for third party employees.

Re: Non AD users using Anyconnect and ISE

Asfandyar70754 — Thu, 01 Jul 2021 05:13:54 GMT

Hello Marvin

Thanks a lot for your response.

Can you please share some document for registering the certificates.

Re: Non AD users using Anyconnect and ISE

Asfandyar70754 — Fri, 02 Jul 2021 05:28:10 GMT

Hi @Marvin Rhoads

Thank you for your response. Your response seems most viable.

Can you please share some document to register certificates.

TIA

Re: Non AD users using Anyconnect and ISE

hslai — Mon, 05 Jul 2021 16:54:08 GMT

Check out some of videos from Lab Minutes: