Solved: Re: ISE Integration with Symantec VIP for RA VPN

Ali Koussan · ‎09-17-2019

Hi,

I appreciate any help if someone has tested the below scenario if it is doable or not

Our customer got Firepower Appliances for Remote access VPN service using Anyconnect, and ISE as an Authentication server for remote access VPN users. The plan is to integrate the ISE with Symantec VIP for 2FA (Which is possible). The question is :

The customer wants some of the RA users to use a specific laptop or phone when they connect using Anyconnect and offcourse use the Symantec 2FA . I'm trying to explore my options here, I could think of the following :

Maybe we can use the Symantec VIP as an external Radius, and use it in the identity source sequence in the authentication policy . Then we use the internal Endpoint identity which has the MAC address of the users, and then in the authorization policy we match based on the Endpoint identity.

Or , maybe we install a machine certificate on client machine and use certificate as an authentication method in the identity source sequence, but I'm not sure if in the same identity sequence I can choose the Symantec VIP which is an external Radius , usually we chose AD with Certificate authentication in the identity source sequence , I do not know if we can chose external radius with Certificate in the identity source sequence

Does anyone have experience with such a scenario ? Any suggestion, !

Thanks

howon · ‎09-23-2019

There may be multiple ways, but as you mentioned, we can use MAC. AnyConnect will send MAC in ACIDEX. You can follow the information in this posting:

https://community.cisco.com/t5/identity-services-engine-ise/dynamic-attributes-mac-address-with-ise-and-vpn/td-p/3728301

Another option is to use AnyConnect posture module which can key off on certain watermark added to the Windows registry or macOS plist file.

Another option is using certificates, but note that certificate validation is generally done on the VPN gateway itself, not on the RADIUS server. You may be able to validate certificate on the RADIUS server using IKEv2 with EAP as authentication protocol, but not sure if that is feasible in the scenario.

View solution in original post

hslai · ‎09-29-2019

Yes, ACIDEX provides the MAC addresses of the RA-VPN endpoints.

View solution in original post

howon · ‎09-23-2019

There may be multiple ways, but as you mentioned, we can use MAC. AnyConnect will send MAC in ACIDEX. You can follow the information in this posting:

https://community.cisco.com/t5/identity-services-engine-ise/dynamic-attributes-mac-address-with-ise-and-vpn/td-p/3728301

Another option is to use AnyConnect posture module which can key off on certain watermark added to the Windows registry or macOS plist file.

Another option is using certificates, but note that certificate validation is generally done on the VPN gateway itself, not on the RADIUS server. You may be able to validate certificate on the RADIUS server using IKEv2 with EAP as authentication protocol, but not sure if that is feasible in the scenario.

Ali Koussan · ‎09-25-2019

Hello howon,

Thank you for your valuable information ,

according to the post https://community.cisco.com/t5/identity-services-engine-ise/dynamic-attributes-mac-address-with-ise-and-vpn/td-p/3728301

if I understood correctly that's applicable if the machine is part of the AD .In my scenario , the machine is not part of the AD. I do not know if I can still use the ACIDEX information to match on the client machine MAC address before I assign an Authorization profile

All that I need is that, after Authenticating the user with Symatic VIP , in the Authprzation policy I want to match on the Client machine MAC address before I assign an Authorization profile to that user. Can ACIDEX help in this case?

Using Posture is also a valid solution, and we will use it for users which are part of the AD, but not for users not in the AD.

Ali

hslai · ‎09-29-2019

Yes, ACIDEX provides the MAC addresses of the RA-VPN endpoints.