topic Re: AnyConnect VPN Client DHCP Profiling in ISE to tell Corporate from BYOD in Network Security

AnyConnect VPN Client DHCP Profiling in ISE to tell Corporate from BYOD

rick505d3 — Tue, 12 Mar 2019 11:19:19 GMT

Hi,

I am trying to get the AnyConnet VPN client device's hostname in ISE. DHCP profiling probe is enabled on ISE and works for LAN devices.

AnyConnect is 4.6 version. The headend firewall is FTD 2110, 6.2.3. ISE is running 2.4 patch 5.

The VPN client gets an IP address via DHCP. The DHCP server (Windows) shows the active lease and displays the client's hostname correctly. ISE is also configured as a 3rd DHCP server on FTD for profiling purposes. However, the ISE DHCP profiling of AnyConnect clients is not working as ISE sees the DHCP request coming from the FTD's MAC address - confirmed on ISE through tcpdump capture. ISE create a new Endpoint record for the FTD's MAC address and shows the client's hostname under it. When a new client connects, ISE updates the FTD Endpoint MAC to that client's hostname. The actual client's MAC address also gets created as Endpoint in ISE but misses all the DHCP related profiling info, most importantly for me, the host-name attribute.

My question is if there is a command to tell the FTD to send the original client's MAC address in the DHCP discover message instead?

I need the above as a guestimate to tell apart Corporate from BYOD VPN devices. The customer doesn't have CA deployment so can't identify corporate devices through certificates. My intention is to use ISE AD Profiling Probe to assess that a device really is a corporate asset. AD Profiling Probe relies on hostname of the device to validate AD join status. I can't use DNS based probing as there is no DDNS setup on the central DHCP/DNS servers for VPN clients. ISE Posture could be an option (check for certain registry key for AD join) but even the latest FTD code 6.3 doesn't seem to support ISE Posture. Any other way we can identify VPN corporate from VPN BYOD devices?

Regards,

Rick.

Re: AnyConnect VPN Client DHCP Profiling in ISE to tell Corporate from BYOD

Mohammed al Baqari — Tue, 15 Jan 2019 05:39:04 GMT

I don't think you can do much in FTD. If it is ASA, I would advice to go
for ISE authorization for VPN connections which will help to profile using
Radius attributes. From Radius attributes you will get the correct mac
address of the endpoint and map it to AD using hostname which will achieve
what you are looking for. I am using it and working perfectly.

The problem with FTD that it doesn't support CoA yet which makes ISE
authorization for FTD anyconnect no possible yet. Hence, I stayed with ASA
and FP service module instead of FTD for VPN headend.

Re: AnyConnect VPN Client DHCP Profiling in ISE to tell Corporate from BYOD

rick505d3 — Tue, 15 Jan 2019 05:51:00 GMT

Thanks Muhammed,

Firepower 6.3 does seem to support CoA - https://www.cisco.com/c/en/us/td/docs/security/firepower/630/configuration/guide/fpmc-config-guide-v63/firepower_threat_defense_remote_access_vpns.html#id_RADIUS_CoA

I get the correct MAC address (as a unique Endpoint record in ISE), which shows all relevant RADIUS attributes under it. The issue is it doesn't has any hostname field. So AD prob doesn't work.

Which RADIUS attributes are you using for profiling?

Regards,

Rick.

Re: AnyConnect VPN Client DHCP Profiling in ISE to tell Corporate from BYOD

Mohammed al Baqari — Wed, 16 Jan 2019 05:55:04 GMT

Hi Rick,

I didn't know that 6.3 is already out. I will be testing the feature with
it. ASA-TLVs are used to send the hostname to NAC which it uses to scan AD.