ANNOUNCEMENT - The community will be down for maintenace this Thursday August 13 from 12:00 AM PT to 02:00 AM PT. As a precaution save your work.
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1960
Views
3
Helpful
3
Replies
Highlighted
Cisco Employee

domain computer check for anyconnect connection

Hi expert,

ISE is used for radius server for anyconnect connection. Is it possible to check whether anyconnect PC is a domain computer?

I use AD domain user for authentication, create authorization condition to check domain computer and define different rights accordingly. But it doesn't work. I use a domain computer to connect anyconnect vpn successfully, but from radius log, session does not match the condition of checking domain computer.

br,

Martin

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
VIP Advocate

Re: domain computer check for anyconnect connection

I don't think you will have much luck getting the VPN client to pass in domain computer credentials.  You have two ways to handle this typically:

  1. Configure the ASA to check the attaching device for a computer cert issued from the customer's CA.  This assumes the customer has an internal CA and is issuing computer certs to their domain joined devices.
  2. Use posturing to check the registry for domain joined computer status.

#1 is the method I always use to ensure my Employee VPN is only allowed on corporate owned devices.  When you do computer cert authentication on the ASA you have to roll out the XML profile ahead of time with the machine store cert check setting enabled.  Otherwise the AnyConnect client can't check the machine cert store. 

You would be doing machine cert check on the ASA + AD credential check in ISE. 

View solution in original post

3 REPLIES 3
Highlighted
VIP Advocate

Re: domain computer check for anyconnect connection

I don't think you will have much luck getting the VPN client to pass in domain computer credentials.  You have two ways to handle this typically:

  1. Configure the ASA to check the attaching device for a computer cert issued from the customer's CA.  This assumes the customer has an internal CA and is issuing computer certs to their domain joined devices.
  2. Use posturing to check the registry for domain joined computer status.

#1 is the method I always use to ensure my Employee VPN is only allowed on corporate owned devices.  When you do computer cert authentication on the ASA you have to roll out the XML profile ahead of time with the machine store cert check setting enabled.  Otherwise the AnyConnect client can't check the machine cert store. 

You would be doing machine cert check on the ASA + AD credential check in ISE. 

View solution in original post

Highlighted
Beginner

Re: domain computer check for anyconnect connection

Hi,

I have similar requirements, can you please share the steps for method#1 .?
Highlighted
Cisco Employee

Re: domain computer check for anyconnect connection

See these examples for the both the ASA configuration and the ISE policy configuration elements.

SSL VPN with AnyConnect using Certificate-Based Authentication 

ISE Configuration for Anyconnect VPN