Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4324
Views
5
Helpful
9
Replies

Allow only AD joined computers to attach to AnyConnect VPN WITH ISE 2.2

Go to solution
NETAD
Level 4
Level 4

‎01-23-2018 01:07 PM - edited ‎02-21-2020 10:43 AM

Hello, how can I create an authorization profile that just allow domain computers to connect to the VPN?

 

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Octavian Szolga
Level 4
Level 4
In response to NETAD

‎01-23-2018 02:47 PM - edited ‎01-23-2018 02:59 PM

Hi,

 

Sounds good, but when you're saying that you want your users to be authorized by ISE, they're basically authenticated and the authorization part comes packed with the authentication response (radius way of doing things).

 

Just to detail a little bit what I said earlier, this is the difference between those two scenarios:

 

1. Double authentfication from ASAs perspective:

 a) check device cert - certificate authentication (ASA)

 b) check user + pass - user authentication (ISE)

 

ISE will respond to the user authentication request with some authorization attributes. Still, ISE is a radius authentication server under tunnel-group configuration.

 

2. Single cert authentication with ISE authorization

a) check device cert (ASA)

b) authorize the "user" (which is the device actually): send a specific field from the endpoint certificate to be authorized by ISE. In this case, ISE is configured as radius authorization server under the tunnel-group profile.

 

PS

- Don't forget that if you remove the tunnel-group list you'll have to create some cert to tunnel-group mappings in order to land on the correct tunnel-group.

- If you want ISE to tell ASA that a user should have a specific group-policy applied, it's enough to click the ASA checkbox from the authorization profile and write down the name of the group-policy as it is configured on the ASA. Forget about custom, radius, etc..

 

Regards,

Octavian

View solution in original post

9 Replies 9

Go to solution
Octavian Szolga
Level 4
Level 4

‎01-23-2018 02:24 PM - edited ‎01-23-2018 02:27 PM

Hi,

There are many options to consider but the most general one would be to use certificate-based authentication.

When the endpoint connects to the VPN, it has to present to the ASA a machine type certificate. Because the device certificate is deployed using GPO thus AD infrastructure/AD computers - it proves that the endpoint is indeed a corporate device. The provisioned certificate can be marked (in the cert template/GPO) as non-exportable so that it cannot be exported from the endpoint certificate store and imported into a different non-corporate PC.


After the machine certificate has been succesfully validated, you can choose to either request user's identity (user pass) or authorize the connection based solely on the cert itself (you take for example the subject name and search through AD for a Domain Computer membership; if you can find it, the session if authorized).

 

Another option would be to use posture services on ISE and search for a file, setting, etc; something that is 100% specific to your AD environment. As far as I remeber, ISE doesn't provide a native condition - this is a domain computer device.

 

Regards,
Octavian

0 Helpful

Go to solution
NETAD
Level 4
Level 4
In response to Octavian Szolga

‎01-23-2018 02:34 PM

Thanks. That's what I'm looking for. I configured ISE to authorize the remote access users today and will be testing the setup tonight. Can you please verify what I've done for me and tell me if it should work? 

 

First I added the firewall to ISE as a network device and enabled it for radius.

 

Second, I created authorization profiles with the specified DACL and a radius attribute class-25 that matches the group-policy on the ASA

 

Third, I created a new Policy set that looks for requests coming from the ASA and a radius attribute nas-port-type = virtual

forth, authentication policy that points to AD

fifth, a couple of authorization policies that look for users that are members of certain AD groups with the Author Pro created previously

 

And lastly I configured a new radius-server on the ASA that points to 10.11.12.51

 

Tonight before testing I will:

 

Go under the RA tunnel-group and update the authentication-server-group and point it to the newly created one

 

Go under Webvpn and issue the command no tunnel-group-list enable

0 Helpful

Go to solution
Octavian Szolga
Level 4
Level 4
In response to NETAD

‎01-23-2018 02:47 PM - edited ‎01-23-2018 02:59 PM

Hi,

 

Sounds good, but when you're saying that you want your users to be authorized by ISE, they're basically authenticated and the authorization part comes packed with the authentication response (radius way of doing things).

 

Just to detail a little bit what I said earlier, this is the difference between those two scenarios:

 

1. Double authentfication from ASAs perspective:

 a) check device cert - certificate authentication (ASA)

 b) check user + pass - user authentication (ISE)

 

ISE will respond to the user authentication request with some authorization attributes. Still, ISE is a radius authentication server under tunnel-group configuration.

 

2. Single cert authentication with ISE authorization

a) check device cert (ASA)

b) authorize the "user" (which is the device actually): send a specific field from the endpoint certificate to be authorized by ISE. In this case, ISE is configured as radius authorization server under the tunnel-group profile.

 

PS

- Don't forget that if you remove the tunnel-group list you'll have to create some cert to tunnel-group mappings in order to land on the correct tunnel-group.

- If you want ISE to tell ASA that a user should have a specific group-policy applied, it's enough to click the ASA checkbox from the authorization profile and write down the name of the group-policy as it is configured on the ASA. Forget about custom, radius, etc..

 

Regards,

Octavian

Go to solution
NETAD
Level 4
Level 4
In response to Octavian Szolga

‎01-23-2018 02:54 PM

Thank you so much. 

0 Helpful

Go to solution
NETAD
Level 4
Level 4
In response to Octavian Szolga

‎01-23-2018 08:25 PM

Hey Octavian, I'm not able to authenticate again the new radius server(ISE) after I added the authentication-server-group command under the tunnel-group. The requests aren't even hitting ISE. What's odd is that when I try with the test aaa-server command I see the request coming in and matching the correct policies. Any advise here? 

0 Helpful

Go to solution
NETAD
Level 4
Level 4
In response to Octavian Szolga

‎01-23-2018 03:23 PM

Hey Octavian, do you recommend disabling the tunnel-list-group under webvpn or not? 

0 Helpful

Go to solution
Octavian Szolga
Level 4
Level 4
In response to NETAD

‎01-23-2018 03:28 PM

Hi,

Yes I do. If your certs are all using the same template, there's no sense in keeping that setting.

All your clients will land on the correct tunnel-group based on the cert to tunnel-group mapping.

This setting will have (anyway) a higher priority compared with the user selected drop-down profile.

 

Regards,

Octavian

0 Helpful

Go to solution
NETAD
Level 4
Level 4
In response to Octavian Szolga

‎01-23-2018 03:32 PM

We're not deploying certs yet. That's probably something to consider at a later phase. So for now it's just gonna have to be any computer. But we should still disable the tunnel-group-list correct? 

0 Helpful

Go to solution
Octavian Szolga
Level 4
Level 4
In response to NETAD

‎01-24-2018 12:29 AM

Hi,

If you don't have any certs now (no computer authentication) and you disable the drop down menu you won't be able to tell your ASA that you want to land on a specific tunnel-group.

 

You have 3 options:

- leave the drop-down menu

- deactivate the drop-down but configure a specific url for your tunnel-group and place an anyconnect profile on the client that has the specific url alias inside

- edit the default remote-access (SSL) vpn tunnel-group (DefaultWEBVPNGroup) and make it look like your custom tunnel-group (pool, authentication, etc); for this last option you don't need any url or drop-down

 

Regards,

Octavian

0 Helpful
Customers Also Viewed These Support Documents