01-14-2019 08:58 PM - edited 03-12-2019 04:19 AM
Hi,
I am trying to get the AnyConnet VPN client device's hostname in ISE. DHCP profiling probe is enabled on ISE and works for LAN devices.
AnyConnect is 4.6 version. The headend firewall is FTD 2110, 6.2.3. ISE is running 2.4 patch 5.
The VPN client gets an IP address via DHCP. The DHCP server (Windows) shows the active lease and displays the client's hostname correctly. ISE is also configured as a 3rd DHCP server on FTD for profiling purposes. However, the ISE DHCP profiling of AnyConnect clients is not working as ISE sees the DHCP request coming from the FTD's MAC address - confirmed on ISE through tcpdump capture. ISE create a new Endpoint record for the FTD's MAC address and shows the client's hostname under it. When a new client connects, ISE updates the FTD Endpoint MAC to that client's hostname. The actual client's MAC address also gets created as Endpoint in ISE but misses all the DHCP related profiling info, most importantly for me, the host-name attribute.
My question is if there is a command to tell the FTD to send the original client's MAC address in the DHCP discover message instead?
I need the above as a guestimate to tell apart Corporate from BYOD VPN devices. The customer doesn't have CA deployment so can't identify corporate devices through certificates. My intention is to use ISE AD Profiling Probe to assess that a device really is a corporate asset. AD Profiling Probe relies on hostname of the device to validate AD join status. I can't use DNS based probing as there is no DDNS setup on the central DHCP/DNS servers for VPN clients. ISE Posture could be an option (check for certain registry key for AD join) but even the latest FTD code 6.3 doesn't seem to support ISE Posture. Any other way we can identify VPN corporate from VPN BYOD devices?
Regards,
Rick.
01-14-2019 09:39 PM
01-14-2019 09:51 PM
Thanks Muhammed,
Firepower 6.3 does seem to support CoA - https://www.cisco.com/c/en/us/td/docs/security/firepower/630/configuration/guide/fpmc-config-guide-v63/firepower_threat_defense_remote_access_vpns.html#id_RADIUS_CoA
I get the correct MAC address (as a unique Endpoint record in ISE), which shows all relevant RADIUS attributes under it. The issue is it doesn't has any hostname field. So AD prob doesn't work.
Which RADIUS attributes are you using for profiling?
Regards,
Rick.
01-15-2019 09:55 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide