This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
Have a customer who needs to follow IRS regulations. He needs to have verification of VPN clients BEFORE a connection is established. It looks like this might be possible on ISE.
What would be the easiest way? whitelist, MAC filtering, ???
How would I do it.
What hardware are you/your customer using? I don't believe it's possible on ASA but it certainly is on IOS routers.
The router can send it's credentials to the RADIUS server, which checks to confirm if valid and if sucessful establish a VPN tunnel. If using FlexVPN as part of authorization you can also dynamically assign QoS Policies, ZBFW membership, VRF etc per tunnel.
More information here and example configuration:-
I am using a cisco 5508-x for my VPN. connecting with cisco anyconnect and authorizing under cisco ISE2.4
And these are customers coming into the network, not hubs, switches or routers.
My understanding for your question is to allow only specified VPN client devices ( pcs, tablets ) to the network when they connected via VPN. And it seems you are already using ISE which is then integrated with AD for the authentication.
There are multiple ways to do it depend on the scenario you want to use.
1) You can use machine cert + user authentication if you have internal PKI server. By this way only clients having valid pki certificate installed will be able to connect
2) You can create whitelist of MAC in AD. For this you need to use ACIDEX attribute. You need to pre-populate the MAC in AD and then can use Auth policy to match it. I saw a good example mentioned in below post for this method.
Nope. Will not work. We do not use AD. These are customers and they do not have AD accounts and I cannot give them one.
Certs? Nope don't have a pki server.
In that case, you can make a group in ISE with static MAC addresses. This should work. You can also create local accounts in the ISE which I believe you already created. So you can use combination of local account + mac or any of either.
Besides Mohammad's, you might be able to use Endpoint Attribute Selection Criteria in a DAP. Please note DAP might have some limitations.
Is there any way to accomplish this using only NAC settings or ASA CSD HostScan values? Or are the AAA attributes returned from ISE before any authentication occurs, or does it only happen after a successful authentication?
I think i'm trying to satisfy the exact same audit finding that Joseph is, and it explicitly says "...restrict access...before authentication occurs...", which according to the "Remote access sequence" in this document means the ASA has to allow/deny the anyconnect client using NAC or HostScan before the AAA sequence starts authentication.
Or for example is there a way to use eap-chaining where the computer authentication happens first, and if it fails, it doesn't continue with the user authentication?
In order to get the ACIDex attributes from AD, you have to successfully authenticate the user first, correct? What if you need to identify and deny/allow the machine before any authentication occurs? I'm trying to satisfy some very specific (and frankly unreasonable) requirements from the IRS as well.
Certs is really the way to go. Setting up a PKI is not that difficult, but not sure how many devices would would need to get certs out to.