cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

5437
Views
58
Helpful
8
Replies
Contributor

VPN certificate auth using ISE?

Hey guys, I'm sure I read about this but my Google-fu is letting me down....

Basically, trying to authenticate VPN users using machine certificates (Cisco ASA VPN termination point) using ISE. That way we limit VPN access to machines on the domain. The idea is similar to machine authentication using EAP-TLS, but over VPN.

I know you can't do EAP-TLS over VPN, but how is this achieved with ISE?

Thanks

Darren

1 ACCEPTED SOLUTION

Accepted Solutions
Advocate

Re: VPN certificate auth using ISE?

Typical VPN connection will terminate certificate auth at ASA, not ISE.  In other words, ISE cannot authenticate the VPN users via certificate as it is never presented with a RADIUS auth request based on cert. 

You could use secondary auth to verify identity based on extracted cert info, or straight user auth.

For cert only auth, you could use ISE for authorization only.  You can lock down via tunnel group and then match RADIUS requests based on extended ASA VPN attributes (VPN-3000 disctionary...VSA ID: 3076/146).  This would indicate user validated using machine cert.

Craig

8 REPLIES 8
Advocate

Re: VPN certificate auth using ISE?

Typical VPN connection will terminate certificate auth at ASA, not ISE.  In other words, ISE cannot authenticate the VPN users via certificate as it is never presented with a RADIUS auth request based on cert. 

You could use secondary auth to verify identity based on extracted cert info, or straight user auth.

For cert only auth, you could use ISE for authorization only.  You can lock down via tunnel group and then match RADIUS requests based on extended ASA VPN attributes (VPN-3000 disctionary...VSA ID: 3076/146).  This would indicate user validated using machine cert.

Craig

Contributor

Re: VPN certificate auth using ISE?

Can you provide a reference to this solution:

"You can lock down via tunnel group and then match RADIUS requests based on extended ASA VPN attributes (VPN-3000 disctionary...VSA ID: 3076/146).  This would indicate user validated using machine cert."


I couldn't find anything.


Thanks

Advocate

Re: VPN certificate auth using ISE?

The VPN Group config is probably more of an ASA question, but essentially you can dictate which auth methods apply to which tunnel group (Connection Profile).  To authenticate to TG "Employee", for example, you can set the authentication to cert auth.  Employees would select TG via drop down, or crafted URL that matches TG.

The attribute I previously mentioned would be matched in Authorization condition to grant Employee access:

Example below shows how to match on specific NDG based on VPN devices, or NAS-Port-Type.  It also shows use of the RADIUS Attribute to match on TG name.

/Craig

VIP Engager

Re: VPN certificate auth using ISE?

Darren,

There are a few caveats you will run into when setting this up if this is your first time doing this.  My standard VPN now for customers is this:

Tunnel Group-  Employee

  •      Group URL- www.mycompany.com/employee
  •      Authentication- Cert + AAA
  •      Client Profile- Mach Cert + Cert store override + Nice Name for Group URL (Employee VPN), automatic software updates, backup server config if needed

Tunnel Group-  Vendor

  •      Group URL- www.mycompany.com/vendor
  •      Authentication- Cert + AAA
  •      Client Profile- Nice Name for Group URL (Vendor VPN), no software updates, backup server config if needed

In ISE,  I setup a Policy set for Employee VPN and one for Vendor VPN keying off the tunnel group name as Craig stated above.  I usually don't use the other conditions as no other device is going to be setting that Tunnel Group parameter.


The trick here is you HAVE to download the employee client profile (XML) file and distribute that out to your employees ahead of time, i.e. use SCCM to push the file to the AnyConnect profiles directory.  The reason for this is the AnyConnect client on its own cannot look into the computer cert store.  It needs to be told to look there by the XML file.


So we usually push the file out, have users test with it then send a communication out to employees to have them start using "Employee VPN" in their drop down.  Then after a while we monitor who is still using the old tunnel group and contact them directly eventually shutting off the legacy tunnel group.


Advocate

Re: VPN certificate auth using ISE?

Using additional conditions like NDG will allow control over where policy is applied in case want to roll out and test to select VPN gateways.

Re: VPN certificate auth using ISE?

Hi Craig. It's been a while since your last post, however I'm hoping you can help us.

We have a scenario where we'd like to authenticate end user devices using machine based certificates. This is working fine on the ASA side - end user devices with valid certificates signed by our CA are authenticating without an issue - however we'd like to use ISE for authorisation, in particular for the dACLs.

We're finding it difficult to use a policy set (ISE v2.4) for this purpose, as the username is sent as "INVALID" when the ASA sends the AAA request to ISE - ie; authentication fails (probably due to certificate authentication being used instead of CHAP) - even though the authentication rule within the policy set is configured to "continue" if the username is not found - ie; we're using the authentication rule to match against the tunnel group to identify the correct dACL. Is there a trick we can use to "fool" ISE into accepting the authentication and then processing the authorisation? Given the end user device has been authenticated using machine based certificates, I'd say it is still a relatively secure approach.

Thanks in advance.

Chris.

Cisco Employee

Re: VPN certificate auth using ISE?

Highlighted
Contributor

Re: VPN certificate auth using ISE?

Christopher,

 

You should define an AAA server group in ASA and set the Connection Profile/Tunnel Group to use it for authorization only. AuthC is performed by ASA, ISE is not involved. Then an AuthZ request is sent to ISE, no AuthC is performed in this RADIUS session. This is implemented by Authorize-Only RADIUS request.

 

aaa-server ISERAD-authz protocol radius
  authorize-only
tunnel-group EMP type remote-access
tunnel-group EMP general-attributes
  authorization-server-group ISERAD-authz
  authorization-required
  username-from-certificate UPN
tunnel-group EMP webvpn-attributes
 authentication certificate

 

The Username attribute will be contained in the RADIUS request and it should be the machine name. You should check and set in ASA which certificate field is suitable for computer name lookup in AD. I guess UPN or CN. It can be used by AD group membership conditions in ISE policy.