https://community.cisco.com/t5/network-security/secure-client-anyconnect-posture-local-certificate-option/m-p/4814027#M1099489 <P>Understood, but they already use username and password for primary authentication as well as Duo MFA for secondary. Can posture be used to check and ensure the machine certificate was used by the domain before it allows the connection?&nbsp;</P> Thu, 13 Apr 2023 19:47:14 GMT Jack G 2023-04-13T19:47:14Z https://community.cisco.com/t5/network-security/secure-client-anyconnect-posture-local-certificate-option/m-p/4814016#M1099487 <P>Per the documentation, what can be local certificate be used for? Can it be used to ensure the machine connecting to the VPN is a member of the domain or is there a better way to go about that? Don't have an ISE deployment. I can't seem to find additional configuration details about the certificate options.</P> <P><A href="https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/Cisco-Secure-Client-5/admin/guide/b-cisco-secure-client-admin-guide-5-0/configure-posture.html" target="_blank" rel="noopener">Cisco Secure Client (including AnyConnect) Administrator Guide, Release 5 - Configure Posture [Cisco Secure Client (including AnyConnect)] - Cisco</A></P> <P><SPAN>In contrast,&nbsp;</SPAN><SPAN class="ph">Secure Firewall Posture</SPAN><SPAN>&nbsp;performs server-side evaluation where the Secure Firewall ASA asks only for a list of endpoint attributes (such as operating system, IP address, registry entries, local certificates, and filenames), and they are returned by&nbsp;</SPAN><SPAN class="ph">Secure Firewall Posture</SPAN><SPAN>. Based on the result of the policy’s evaluation, you can control which hosts are allowed to create a remote access connection to the security appliance.</SPAN></P> Thu, 13 Apr 2023 19:16:33 GMT https://community.cisco.com/t5/network-security/secure-client-anyconnect-posture-local-certificate-option/m-p/4814016#M1099487 Jack G 2023-04-13T19:16:33Z https://community.cisco.com/t5/network-security/secure-client-anyconnect-posture-local-certificate-option/m-p/4814023#M1099488 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/175212">@Jack G</a>&nbsp;yes you can use certificate authentication to ensure the device connecting to the VPN is a corporate asset, assuming the device's certificate was issued from your AD via GPO, this joined to your AD domain.</P> <P>You don't need ISE for authentication or posture checking, you can use posturing checking directly on the ASA using hostscan. The hostscan can check registry settings which can also determine AD domain membership.</P> Thu, 13 Apr 2023 19:47:05 GMT https://community.cisco.com/t5/network-security/secure-client-anyconnect-posture-local-certificate-option/m-p/4814023#M1099488 Rob Ingram 2023-04-13T19:47:05Z https://community.cisco.com/t5/network-security/secure-client-anyconnect-posture-local-certificate-option/m-p/4814027#M1099489 <P>Understood, but they already use username and password for primary authentication as well as Duo MFA for secondary. Can posture be used to check and ensure the machine certificate was used by the domain before it allows the connection?&nbsp;</P> Thu, 13 Apr 2023 19:47:14 GMT https://community.cisco.com/t5/network-security/secure-client-anyconnect-posture-local-certificate-option/m-p/4814027#M1099489 Jack G 2023-04-13T19:47:14Z https://community.cisco.com/t5/network-security/secure-client-anyconnect-posture-local-certificate-option/m-p/4814047#M1099491 <P>I am not sure you can use posture to check the certificate. As mentioned before, you could do a registry check to determine if joined to the AD domain.</P> Thu, 13 Apr 2023 20:27:13 GMT https://community.cisco.com/t5/network-security/secure-client-anyconnect-posture-local-certificate-option/m-p/4814047#M1099491 Rob Ingram 2023-04-13T20:27:13Z https://community.cisco.com/t5/network-security/secure-client-anyconnect-posture-local-certificate-option/m-p/4814072#M1099493 <P>Long time ago we had pre-login policies as part of Cisco Secure Desktop (CSD) where we could check for a machine certificate pre-authentication and then authenticate with a user certificate but CSD was deprecated due to security concerns including cache cleaner, secure vault and pre-login policies.&nbsp;<BR />However, we added Multiple Certificate Authentication support&nbsp;which gives the ability to have the ASA validate the machine or device certificate, to ensure the device is a corporate-issued device, in addition to authenticating the user’s identity certificate to allow VPN access.&nbsp;<A href="https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client-v4x/212483-configure-asa-as-the-ssl-gateway-for-any.html" target="_blank">https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client-v4x/212483-configure-asa-as-the-ssl-gateway-for-any.html</A>&nbsp;<BR /><BR />If you used Multiple Certificate Authentication then those certificates would could be sent to DAP for further authorization, this was only supported with MCA but after 9.18 we also added the ability to send the certificate to DAP even if using single certificate.<BR /><A href="https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvv50265" target="_blank">https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvv50265</A>&nbsp;</P> Thu, 13 Apr 2023 21:17:12 GMT https://community.cisco.com/t5/network-security/secure-client-anyconnect-posture-local-certificate-option/m-p/4814072#M1099493 Gustavo Medina 2023-04-13T21:17:12Z https://community.cisco.com/t5/network-security/secure-client-anyconnect-posture-local-certificate-option/m-p/4814544#M1099495 <P>I could never understand this enhancement request, because certificate information is passed to DAP in case of single cert auth in older versions too. It's shown in "debug dap trace". For Windows client one can use, for example:</P><P>assert(function()<BR />for k,v in pairs(endpoint.certificate.user) do<BR />if (v.subject_store == "capi_machine" and v_issuer_cn == "...") then<BR />return true<BR />end<BR />end<BR />return false<BR />end)()</P><P>The problem however is that hostscan looks through all certificates in both machine and user store (up to a certain limit, in my tests it was 13 certs or so) and not a single certificate which was used during SSL client authentication phase. This makes the feature useless in many scenarios.</P><P>&nbsp;</P> Fri, 14 Apr 2023 14:47:21 GMT https://community.cisco.com/t5/network-security/secure-client-anyconnect-posture-local-certificate-option/m-p/4814544#M1099495 tvotna 2023-04-14T14:47:21Z https://community.cisco.com/t5/network-security/secure-client-anyconnect-posture-local-certificate-option/m-p/4816405#M1099593 <P>The ENH was to add support to DAP directly without LUA.</P> Tue, 18 Apr 2023 02:49:58 GMT https://community.cisco.com/t5/network-security/secure-client-anyconnect-posture-local-certificate-option/m-p/4816405#M1099593 Gustavo Medina 2023-04-18T02:49:58Z https://community.cisco.com/t5/network-security/secure-client-anyconnect-posture-local-certificate-option/m-p/5126573#M1113383 <P>How can you do this through ASDM?<BR /><BR />There doesn't seem to be much if any documentation for doing it this way.</P> Thu, 06 Jun 2024 13:53:08 GMT https://community.cisco.com/t5/network-security/secure-client-anyconnect-posture-local-certificate-option/m-p/5126573#M1113383 dvizzle 2024-06-06T13:53:08Z