10-22-2018 08:22 AM
Hey all,
Looking for best practices on how security teams flag a BAD MACHINE (not user) and prevent it from connecting onto the network via VPN / Wired.
** The idea is to block specific MACHINE not specific USER.
** User validated/authenticated via MACHINE CERT and AD
** Should avoid invalidating the machine CERT as a solution so that REMOTE users don't have to be re-issued machine certs AFTER they their machine is cleaned and allowed BACK on to the network.
Possible solutions? (have an opinion?)
I. ADD these BAD machines into blacklist - I like to avoid using MACs as identifier for blacklists.
II. Restrict MACHINE based on AD group membership? (ex: BAD MACHINES group on AD that machine can be added into and then ISE policy to validate against this).
Thanks for feedback.
Solved! Go to Solution.
10-22-2018 10:05 AM
What type of authentication are you doing? Usually on VPN you aren't doing computer based authentication so you won't be doing an AD lookup for the computer account. Blacklisting may be your only option there. For the wired side if you are doing User or Computer with Native supplicant you will have an issue because the computer credentials are not presented if the user is logged in. If you doing computer authentication only then you could AD group or other attributes from AD. Blacklisting is always an option.
How are they flagging the machine as BAD? If this is done be external security products you could use REST API calls to apply ANC policies/blacklisting to the device.
10-22-2018 10:05 AM
What type of authentication are you doing? Usually on VPN you aren't doing computer based authentication so you won't be doing an AD lookup for the computer account. Blacklisting may be your only option there. For the wired side if you are doing User or Computer with Native supplicant you will have an issue because the computer credentials are not presented if the user is logged in. If you doing computer authentication only then you could AD group or other attributes from AD. Blacklisting is always an option.
How are they flagging the machine as BAD? If this is done be external security products you could use REST API calls to apply ANC policies/blacklisting to the device.
10-24-2018 11:46 PM
Auth:
VPN = Machine Cert + RSA
Wired = Machine Cert
Right now manually marking as BAD machines and adding to AD's computer group. (which I'd like to validate against).
10-25-2018 05:59 AM
10-25-2018 07:36 AM
I agree with Paul's. Please note that some PKI, such as Microsoft CA, allows holding and later un-revoking a certificate. See
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide