cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1439
Views
10
Helpful
13
Replies

VPN identification and authentication before establishing a connection

Have a customer who needs to follow IRS regulations. He needs to have verification of VPN clients BEFORE a connection is established. It looks like this might be possible on ISE.

 

What would be the easiest way? whitelist, MAC filtering, ???

 

How would I do it.

 

Thanks

Joe

13 Replies 13

Hi,

What hardware are you/your customer using? I don't believe it's possible on ASA but it certainly is on IOS routers.

 

The router can send it's credentials to the RADIUS server, which checks to confirm if valid and if sucessful establish a VPN tunnel. If using FlexVPN as part of authorization you can also dynamically assign QoS Policies, ZBFW membership, VRF etc per tunnel.

 

More information here and example configuration:-

http://www.ciscopress.com/articles/article.asp?p=1684781&seqNum=3

FlexVPN example

 

HTH

I am using a cisco 5508-x for my VPN. connecting with cisco anyconnect and authorizing under cisco ISE2.4

And these are customers coming into the network, not hubs, switches or routers.

Muhammad Awais Khan
Cisco Employee
Cisco Employee

HI,

 

My understanding for your question is to allow only specified VPN client devices ( pcs, tablets ) to the network when they connected via VPN. And it seems you are already using ISE which is then integrated with AD for the authentication.

 

There are multiple ways to do it depend on the scenario you want to use.

 

1) You can use machine cert + user authentication if you have internal PKI server. By this way only clients having valid pki certificate installed will be able to connect

2) You can create whitelist of MAC in AD. For this you need to use ACIDEX attribute. You need to pre-populate the MAC in AD and then can use Auth policy to match it. I saw a good example mentioned in below post for this method.

 

https://community.cisco.com/t5/identity-services-engine-ise/dynamic-attributes-mac-address-with-ise-and-vpn/td-p/3728301

 

 

 

 

Nope. Will not work. We do not use AD. These are customers and they do not have AD accounts and I cannot give them one. 

Certs? Nope don't have a pki server.

Hi,

 

In that case, you can make a group in ISE with static MAC addresses. This should work. You can also create local accounts in the ISE which I believe you already created. So you can use combination of local account + mac or any of either.

Besides Mohammad's, you might be able to use Endpoint Attribute Selection Criteria in a DAP. Please note DAP might have some limitations.

Is there any way to accomplish this using only NAC settings or ASA CSD HostScan values? Or are the AAA attributes returned from ISE before any authentication occurs, or does it only happen after a successful authentication?

 

I think i'm trying to satisfy the exact same audit finding that Joseph is, and it explicitly says "...restrict access...before authentication occurs...", which according to the "Remote access sequence" in this document means the ASA has to allow/deny the anyconnect client using NAC or HostScan before the AAA sequence starts authentication.

Or for example is there a way to use eap-chaining where the computer authentication happens first, and if it fails, it doesn't continue with the user authentication?

In order to get the ACIDex attributes from AD, you have to successfully authenticate the user first, correct? What if you need to identify and deny/allow the machine before any authentication occurs? I'm trying to satisfy some very specific (and frankly unreasonable) requirements from the IRS as well.

Certs is really the way to go.  Setting up a PKI is not that difficult, but not sure how many devices would would need to get certs out to.

Nope, customers do not want a cert solution

Well part of our job as consultants is to educate the customer on what the right solution is. I "guide" many customers away from their crazy ideas to the correct solution.



But I guess if they won't listen to the right solution, best of luck piecing one together.


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: