cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6367
Views
11
Helpful
6
Replies

Cisco Anyconnect with ISE - using device certificates to differentiate corporate assets

kennrawa1
Level 1
Level 1

A little about the environment:

Cisco ASA 5525X Version 9.4(4)5

Cisco AnyConnect anyconnect-win-4.4.02034-webdeploy-k9.pkg

Cisco ISE 2.0.0.306

I am deploying a new Client VPN solution for a customer.  Part of the posture and authentication requirements is to validate in Microsoft Management center the machine certificate CN. Normally this could be accomplished in the the Anyconnect XML profile with hostscan (Cisco AnyConnect Posture Module) but this does not work in conjunction or simultaneously with the Cisco AnyConnect ISE Posture Module on the windows machine.

In wireless environments in the policy set under authorization policy you can define Radius:Calling-Station-ID EQUALS CERTIFICATE: <Parameter searching for>.  Since the ASA is proxying this radius request I am not certain the Radius Calling station condition would work.

Is there a solution where the VPN connecting client machine can be authenticated by the ISE server for a specific machine cert since ASA posture module is no longer an option?

Thanks in Advance!

Kenny

1 Accepted Solution

Accepted Solutions

No it is the same XML profile that you are used to working with. If you open up one of your AnyConnect profiles you will see an option to set authentication type to Machine and enable Cert Store Override.

Like I said in the original post the only caveat with computer cert authentication is the XML profile needs to be pushed ahead of time to the clients. So I usually create an Employee VPN profile on the ASA setting it up for Machine authentication, setting up the friendly name for the profile “MyCompany Employee VPN” and setting up the backup server/groups URLs as needed. All standard VPN profile stuff. Then I download the XML file and push it out with SCCM or whatever the client uses for software distribution.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

View solution in original post

6 Replies 6

paul
Level 10
Level 10

Are they trying to differentiate between corporate assets or just trying to make sure the connecting device is a corporate asset?

They want to use the certificate as a way to validate that it is a corporate asset being used to connect to the network.

I just usually do this with standard AAA/Cert authentication on the ASA.  If you are doing computer cert authentication you have to push an XML profile to the clients ahead of time to allow AnyConnect to look into the machine store:

<CertificateStore>Machine</CertificateStore>

<CertificateStoreOverride>true</CertificateStoreOverride>

The ASA does the cert auth piece easily enough.  I usually setup a group URL like:

vpn.mycompany.com/employee

This maps to a tunnel group called Employee which has AAA/Cert auth enabled.  The ASA does the machine cert auth; no DAP, no host scan; just standard cert authentication.  Then the user auth piece is sent to ISE.  As part of the RADIUS request the tunnel group name is included so I setup an ISE policy set that in specific for the tunnel group name Employee knowing that the only way I would receive a request from the ASA for this tunnel group is if the machine cert has already been validated.

Then to handle the one off vendor uses cases (I try to steer customers away from allowing vendors to connect to VPN any more), I setup a group URL:


vpn.mycompany.com/vendor


and tunnel group called Vendor.  Make an ISE policy set matching the Vendor tunnel group name and you have a nice clean setup to push DACLS or whatever you want to non-corporate assets.


All very clean.

Hi Paul,

Thanks for the help.  For the most part, this makes sense if I am understanding correctly.  you are stating under the anyconnect connection profile I need to set the authentication method as both ISE and Certificate.  What I am not certain of is the XML script.  I have created an Anyconnect VPN profile XML script under the anyconnect client profile section but I am assuming this XML cert auth script is referencing something else.  Could you elaborate?

No it is the same XML profile that you are used to working with. If you open up one of your AnyConnect profiles you will see an option to set authentication type to Machine and enable Cert Store Override.

Like I said in the original post the only caveat with computer cert authentication is the XML profile needs to be pushed ahead of time to the clients. So I usually create an Employee VPN profile on the ASA setting it up for Machine authentication, setting up the friendly name for the profile “MyCompany Employee VPN” and setting up the backup server/groups URLs as needed. All standard VPN profile stuff. Then I download the XML file and push it out with SCCM or whatever the client uses for software distribution.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

perfect, thanks for the help, I got it working.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: