cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
Register for the monthly ISE Webinars to learn about ISE configuration and deployment.
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

363
Views
0
Helpful
13
Replies

VPN identification and authentication before establishing a connection

Have a customer who needs to follow IRS regulations. He needs to have verification of VPN clients BEFORE a connection is established. It looks like this might be possible on ISE.

 

What would be the easiest way? whitelist, MAC filtering, ???

 

How would I do it.

 

Thanks

Joe

13 REPLIES 13
VIP Advisor RJI VIP Advisor
VIP Advisor

Re: VPN identification and authentication before establishing a connection

Hi,

What hardware are you/your customer using? I don't believe it's possible on ASA but it certainly is on IOS routers.

 

The router can send it's credentials to the RADIUS server, which checks to confirm if valid and if sucessful establish a VPN tunnel. If using FlexVPN as part of authorization you can also dynamically assign QoS Policies, ZBFW membership, VRF etc per tunnel.

 

More information here and example configuration:-

http://www.ciscopress.com/articles/article.asp?p=1684781&seqNum=3

FlexVPN example

 

HTH

Re: VPN identification and authentication before establishing a connection

I am using a cisco 5508-x for my VPN. connecting with cisco anyconnect and authorizing under cisco ISE2.4

Re: VPN identification and authentication before establishing a connection

And these are customers coming into the network, not hubs, switches or routers.

Re: VPN identification and authentication before establishing a connection

HI,

 

My understanding for your question is to allow only specified VPN client devices ( pcs, tablets ) to the network when they connected via VPN. And it seems you are already using ISE which is then integrated with AD for the authentication.

 

There are multiple ways to do it depend on the scenario you want to use.

 

1) You can use machine cert + user authentication if you have internal PKI server. By this way only clients having valid pki certificate installed will be able to connect

2) You can create whitelist of MAC in AD. For this you need to use ACIDEX attribute. You need to pre-populate the MAC in AD and then can use Auth policy to match it. I saw a good example mentioned in below post for this method.

 

https://community.cisco.com/t5/identity-services-engine-ise/dynamic-attributes-mac-address-with-ise-and-vpn/td-p/3728301

 

 

 

 

Highlighted

Re: VPN identification and authentication before establishing a connection

Nope. Will not work. We do not use AD. These are customers and they do not have AD accounts and I cannot give them one. 

Certs? Nope don't have a pki server.

Re: VPN identification and authentication before establishing a connection

Hi,

 

In that case, you can make a group in ISE with static MAC addresses. This should work. You can also create local accounts in the ISE which I believe you already created. So you can use combination of local account + mac or any of either.

Cisco Employee

Re: VPN identification and authentication before establishing a connection

Besides Mohammad's, you might be able to use Endpoint Attribute Selection Criteria in a DAP. Please note DAP might have some limitations.

Beginner

Re: VPN identification and authentication before establishing a connection

Is there any way to accomplish this using only NAC settings or ASA CSD HostScan values? Or are the AAA attributes returned from ISE before any authentication occurs, or does it only happen after a successful authentication?

 

I think i'm trying to satisfy the exact same audit finding that Joseph is, and it explicitly says "...restrict access...before authentication occurs...", which according to the "Remote access sequence" in this document means the ASA has to allow/deny the anyconnect client using NAC or HostScan before the AAA sequence starts authentication.

Beginner

Re: VPN identification and authentication before establishing a connection

Or for example is there a way to use eap-chaining where the computer authentication happens first, and if it fails, it doesn't continue with the user authentication?

Beginner

Re: VPN identification and authentication before establishing a connection

In order to get the ACIDex attributes from AD, you have to successfully authenticate the user first, correct? What if you need to identify and deny/allow the machine before any authentication occurs? I'm trying to satisfy some very specific (and frankly unreasonable) requirements from the IRS as well.

VIP Engager

Re: VPN identification and authentication before establishing a connection

Certs is really the way to go.  Setting up a PKI is not that difficult, but not sure how many devices would would need to get certs out to.

Re: VPN identification and authentication before establishing a connection

Nope, customers do not want a cert solution

VIP Engager

Re: VPN identification and authentication before establishing a connection

Well part of our job as consultants is to educate the customer on what the right solution is. I "guide" many customers away from their crazy ideas to the correct solution.



But I guess if they won't listen to the right solution, best of luck piecing one together.