09-17-2019 01:21 AM
Hi,
I appreciate any help if someone has tested the below scenario if it is doable or not
Our customer got Firepower Appliances for Remote access VPN service using Anyconnect, and ISE as an Authentication server for remote access VPN users. The plan is to integrate the ISE with Symantec VIP for 2FA (Which is possible). The question is :
The customer wants some of the RA users to use a specific laptop or phone when they connect using Anyconnect and offcourse use the Symantec 2FA . I'm trying to explore my options here, I could think of the following :
Maybe we can use the Symantec VIP as an external Radius, and use it in the identity source sequence in the authentication policy . Then we use the internal Endpoint identity which has the MAC address of the users, and then in the authorization policy we match based on the Endpoint identity.
Or , maybe we install a machine certificate on client machine and use certificate as an authentication method in the identity source sequence, but I'm not sure if in the same identity sequence I can choose the Symantec VIP which is an external Radius , usually we chose AD with Certificate authentication in the identity source sequence , I do not know if we can chose external radius with Certificate in the identity source sequence
Does anyone have experience with such a scenario ? Any suggestion, !
Thanks
Solved! Go to Solution.
09-23-2019 04:53 AM
There may be multiple ways, but as you mentioned, we can use MAC. AnyConnect will send MAC in ACIDEX. You can follow the information in this posting:
Another option is to use AnyConnect posture module which can key off on certain watermark added to the Windows registry or macOS plist file.
Another option is using certificates, but note that certificate validation is generally done on the VPN gateway itself, not on the RADIUS server. You may be able to validate certificate on the RADIUS server using IKEv2 with EAP as authentication protocol, but not sure if that is feasible in the scenario.
09-29-2019 09:12 AM
Yes, ACIDEX provides the MAC addresses of the RA-VPN endpoints.
09-23-2019 04:53 AM
There may be multiple ways, but as you mentioned, we can use MAC. AnyConnect will send MAC in ACIDEX. You can follow the information in this posting:
Another option is to use AnyConnect posture module which can key off on certain watermark added to the Windows registry or macOS plist file.
Another option is using certificates, but note that certificate validation is generally done on the VPN gateway itself, not on the RADIUS server. You may be able to validate certificate on the RADIUS server using IKEv2 with EAP as authentication protocol, but not sure if that is feasible in the scenario.
09-25-2019 12:03 AM
Hello howon,
Thank you for your valuable information ,
according to the post https://community.cisco.com/t5/identity-services-engine-ise/dynamic-attributes-mac-address-with-ise-and-vpn/td-p/3728301
if I understood correctly that's applicable if the machine is part of the AD .In my scenario , the machine is not part of the AD. I do not know if I can still use the ACIDEX information to match on the client machine MAC address before I assign an Authorization profile
All that I need is that, after Authenticating the user with Symatic VIP , in the Authprzation policy I want to match on the Client machine MAC address before I assign an Authorization profile to that user. Can ACIDEX help in this case?
Using Posture is also a valid solution, and we will use it for users which are part of the AD, but not for users not in the AD.
Ali
09-29-2019 09:12 AM
Yes, ACIDEX provides the MAC addresses of the RA-VPN endpoints.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide