Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
895
Views
0
Helpful
4
Replies

ISE - best practice for denying users to connect via VPN/Wired

Go to solution
MS-JK
Level 1
Level 1

‎10-22-2018 08:22 AM

Hey all,

 

Looking for  best practices on how security teams flag a BAD MACHINE (not user) and prevent it from connecting onto the network via VPN / Wired.

 

** The idea is to block specific MACHINE not specific USER.

** User validated/authenticated via MACHINE CERT and AD

** Should avoid invalidating the machine CERT as a solution so that REMOTE users don't have to be re-issued machine certs AFTER they their machine is cleaned and allowed BACK on to the network.

 

Possible solutions? (have an opinion?) 

I. ADD these BAD machines into blacklist  - I like to avoid using MACs as identifier for blacklists.

II. Restrict MACHINE based on AD group membership? (ex: BAD MACHINES group on AD that machine can be added into and then ISE policy to validate against this).

 

Thanks for feedback.

 

 

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
paul
Level 10
Level 10

‎10-22-2018 10:05 AM

What type of authentication are you doing?  Usually on VPN you aren't doing computer based authentication so you won't be doing an AD lookup for the computer account.  Blacklisting may be your only option there.  For the wired side if you are doing User or Computer with Native supplicant you will have an issue because the computer credentials are not presented if the user is logged in.  If you doing computer authentication only then you could AD group or other attributes from AD.  Blacklisting is always an option.

 

How are they flagging the machine as BAD?  If this is done be external security products you could use REST API calls to apply ANC policies/blacklisting to the device.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
paul
Level 10
Level 10

‎10-22-2018 10:05 AM

What type of authentication are you doing?  Usually on VPN you aren't doing computer based authentication so you won't be doing an AD lookup for the computer account.  Blacklisting may be your only option there.  For the wired side if you are doing User or Computer with Native supplicant you will have an issue because the computer credentials are not presented if the user is logged in.  If you doing computer authentication only then you could AD group or other attributes from AD.  Blacklisting is always an option.

 

How are they flagging the machine as BAD?  If this is done be external security products you could use REST API calls to apply ANC policies/blacklisting to the device.

0 Helpful

Go to solution
MS-JK
Level 1
Level 1
In response to paul

‎10-24-2018 11:46 PM

Auth:

 

VPN = Machine Cert + RSA

Wired = Machine Cert

 

Right now manually marking as BAD machines and adding to AD's computer group. (which I'd like to validate against).

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to MS-JK

‎10-25-2018 05:59 AM

For the wired side you can do an AD check in the authorization phase to see if the AD computer is part of the BAD Computer AD group. For the VPN I am not sure how you are going to accomplish this outside of revoking the computer cert. The computer name is not passed to ISE for authentication. I am assuming they are doing RSA auth using their AD user credentials.




0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to MS-JK

‎10-25-2018 07:36 AM

I agree with Paul's. Please note that some PKI, such as Microsoft CA, allows holding and later un-revoking a certificate. See 

Revoke-Certificate - PKI Extensions

0 Helpful
Customers Also Viewed These Support Documents