Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5206
Views
3
Helpful
3
Replies

domain computer check for anyconnect connection

Go to solution
xili5
Cisco Employee
Cisco Employee

‎10-09-2017 08:54 AM

Hi expert,

ISE is used for radius server for anyconnect connection. Is it possible to check whether anyconnect PC is a domain computer?

I use AD domain user for authentication, create authorization condition to check domain computer and define different rights accordingly. But it doesn't work. I use a domain computer to connect anyconnect vpn successfully, but from radius log, session does not match the condition of checking domain computer.

br,

Martin

2 people had this problem
1 Accepted Solution

Accepted Solutions

Go to solution
paul
Level 10
Level 10

‎10-09-2017 10:53 AM

I don't think you will have much luck getting the VPN client to pass in domain computer credentials.  You have two ways to handle this typically:

  1. Configure the ASA to check the attaching device for a computer cert issued from the customer's CA.  This assumes the customer has an internal CA and is issuing computer certs to their domain joined devices.
  2. Use posturing to check the registry for domain joined computer status.

#1 is the method I always use to ensure my Employee VPN is only allowed on corporate owned devices.  When you do computer cert authentication on the ASA you have to roll out the XML profile ahead of time with the machine store cert check setting enabled.  Otherwise the AnyConnect client can't check the machine cert store. 

You would be doing machine cert check on the ASA + AD credential check in ISE. 

View solution in original post

3 Replies 3

Go to solution
paul
Level 10
Level 10

‎10-09-2017 10:53 AM

I don't think you will have much luck getting the VPN client to pass in domain computer credentials.  You have two ways to handle this typically:

  1. Configure the ASA to check the attaching device for a computer cert issued from the customer's CA.  This assumes the customer has an internal CA and is issuing computer certs to their domain joined devices.
  2. Use posturing to check the registry for domain joined computer status.

#1 is the method I always use to ensure my Employee VPN is only allowed on corporate owned devices.  When you do computer cert authentication on the ASA you have to roll out the XML profile ahead of time with the machine store cert check setting enabled.  Otherwise the AnyConnect client can't check the machine cert store. 

You would be doing machine cert check on the ASA + AD credential check in ISE. 

Go to solution
shehreyar
Level 1
Level 1
In response to paul

‎05-04-2020 11:40 PM

Hi,

I have similar requirements, can you please share the steps for method#1 .?
0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to shehreyar

‎05-05-2020 03:42 PM

See these examples for the both the ASA configuration and the ISE policy configuration elements.

SSL VPN with AnyConnect using Certificate-Based Authentication 

ISE Configuration for Anyconnect VPN 

 

0 Helpful
Customers Also Viewed These Support Documents