Solved: Re: auto remediation (certs) with APEX licence and anyconnect agent

vark00001 · ‎06-23-2018

Hi All,

I have been thrown a question prior to ISE deployment in our organization. Soon we will have dot1x on every port of all user and things facing switches and authentication will be via ISE infrastructure.

Now among other things corporate desktops and laptops will be authenticated using PKI framework based machine certificates , wherein ISE will forward the query to corporate CA server for verification .

Now the requirement is , for the corporate machine which has , lets say , missing or expired or corrupted certificates , by default they wont be authenticated and perhaps provided a internet only VLAN, but since those belong to actual corporate users we like to auto-remidiate the situation without having to remove the dot1x and installing certificates or may be even sending someone to put in certificates manually or taking them to staging areas.

Can apex licence in conjugation with any connect client help there ? As i saw there was remediation scenario documentation for things like patches , anti virus etc , but nothing specfic to auto remediation of certificates .

Is that possible ? if yes, how ?

Varun

howon · ‎06-25-2018

Few things to consider for expired certificate:

- In general corporate PKI (Especially if using MS CA), you can configure the CA server to issue certificates when the expiry date is near. This can be configured from MS CA console and is recommended. As long as the users are connecting the PC often enough before expiry, the machine should always have valid certificate

- Now, if you still want to address expired certificate consider following options:

1. If you want to allow expired certificates to authenticate then you can modify the 'Allowed protocols' for EAP-TLS to allow expired certificates. However, instead of providing full access, you can limit access to web portal where the user is instructed to take action to renew certificate.

2. It is generally not recommended to allow expired certificates to be authenticated due to security reasons. Better option is to use 'CERTIFICATE:DAYSTOEXPIRY' authorization condition to trigger user action when the certificate is near expiry.

3. You can simply deny access for expired certificate and redirect user to login via web portal using username and password

For above options, you don't need any Apex license as you are only leveraging basic RADIUS authentication.

Hosuk

View solution in original post

howon · ‎06-25-2018

Few things to consider for expired certificate:

- In general corporate PKI (Especially if using MS CA), you can configure the CA server to issue certificates when the expiry date is near. This can be configured from MS CA console and is recommended. As long as the users are connecting the PC often enough before expiry, the machine should always have valid certificate

- Now, if you still want to address expired certificate consider following options:

1. If you want to allow expired certificates to authenticate then you can modify the 'Allowed protocols' for EAP-TLS to allow expired certificates. However, instead of providing full access, you can limit access to web portal where the user is instructed to take action to renew certificate.

2. It is generally not recommended to allow expired certificates to be authenticated due to security reasons. Better option is to use 'CERTIFICATE:DAYSTOEXPIRY' authorization condition to trigger user action when the certificate is near expiry.

3. You can simply deny access for expired certificate and redirect user to login via web portal using username and password

For above options, you don't need any Apex license as you are only leveraging basic RADIUS authentication.

Hosuk

vark00001 · ‎06-26-2018

Thanks Hosuk,

The suggestions here do answer questions for expired certificate , but what can be a good suggestion for machines with no certificates. Imagine we have ordered 10 new machines and those get the image and other software's from a local SCCM server .

Today this is not a problem , since there is no dot1x on ports , so a new machine does a DHCP , get their SCCM server IP , get image and along with that a certificate is issued by scripts.

If in future after we establish ISE infrastructure with dot1x on all ports and we are trying to set up these 10 machines , they will not have anything to supply for EAPoL. What will we do in those case, some options are :-

-> remove dot1x temprorily , let them image and get certificates and then apply back DOT1X ( Very manual and prone to ports being left non-dot1x )

--> Stage the machines at designated location with no dot1x and then connect to LAN ( This will add logistics cost )

--> May be authenticate via MAB and then let it get imaged with access to SCCM's only and then do a COA for full access.

What to other companies do to handle such situations ?

Varun

Jason Kunst · ‎06-26-2018

Would recommend last 2 options. Likely others from partners will chime in like berbee arne.bier

vark00001 · ‎06-26-2018

Thanks Jason !!

would really appreciate real life experiences with this scenario.how are new machines handled generally.

certainly we are not the only organization with the dilemma.i am sure lot of companies order machines in their office and then

use SCCM for imaging. If the ports are dot1xed , then it will be like a chicken and egg problem.

vark00001 · ‎06-27-2018

Hi Jason ,

Did you manage to find any feedback on this ?

Jason Kunst · ‎06-28-2018

The people I copied were partners that might have shared their feedback. That’s all we have.

vark00001 · ‎07-04-2018

Hi Jason ,

I actually found interesting line from Aaron woland in his famous book and its version 2 at page 271 , at least for expired certs , there seems to be an inbuilt feature

I am still trying to brainstorm what to do with brand new machines.

Varun

hslai · ‎07-04-2018

Not all client OS's would present an expired certificate for EAP-TLS. For example, Windows clients do not.

vark00001 · ‎07-05-2018

Ok ,

The case with new machines will be that they will not hand out any certificates even though the profiling will figure out based on DHCP , or other profiler's that at least the hardware is of corporate type . like HP model xx-yy.

So i am thinking of policy that say "match hardware type -corporate" and if they dont have certificates , give them access to only AD and SCCM servers and let them get a certificate and then do a COA.

Any thaught on if that can work ?

Varun

hslai · ‎07-08-2018

Sure, if the AD is also serving as DNS and DHCP, as well as the CA services.

vark00001 · ‎07-08-2018

Nops , DNS and DHCP are based on completely different product - infoblocks . Though AD has the CA services running.

Varun

hslai · ‎07-09-2018

Then, DNS and DHCP need allowed, as well. Or, at least DNS, if the endpoints are using static IP.

vark00001 · ‎07-08-2018

Hello HSLAI ,

Any comments if this idea can work ?

Varun