12-05-2016 08:38 AM
I am working on an ISE / VPN project. The customer would like to apply different posture policies depending on whether the device is / isn’t a corporate device.
I have Authentication, Authorization, and Posture working well. I just cannot separate the posture decisions.
We are authenticating the individual users using AD and Duo as a secondary authentication source.
I have talked to TAC and have been told that since I am not authenticating the device, I cannot use any of the device's information in my authorization or posturing rules. I also cannot use AD for profiling as I cam not authenticating the device.
However, another TAC engineer said we can do it but he has not been able to recommend a way to do it. We have APEX and PLUS licensing for ISE as well as AnyConnect. I do not want to use DAP or CSD, but will if I have to. We also have the ability to add machine certificates to the corporate devices.
The only information I have found for authenticating Machine certificates through a VPN session talks about using the ASA to authenticate the certificate. Can we authenticate the machine and user information through an ASA VPN session utilizing ISE?
Thank you.
Solved! Go to Solution.
12-10-2016 12:48 PM
It is possible to have ASA perform auth using machine cert and then have secondary user auth to ISE. You could also leverage AnyConnect with ACIDEX to transmit the MAC or UDI and compare to value in AD/LDAP. Posture checks could also validate registry breadcrumbs that indicates corp device. It has been a while ssince I checked logic but it may be possible to combine the checks so that user is compliant if breadcrumbs condition AND AV-Policy-1 is met OR no breadcrumbs and AV-Policy-2 is met.
Craig
12-06-2016 07:36 AM
I don't believe there is a simple way to achieve this. Just curious, what kind of policy are planning to enforce on corp. device vs. personal device?
12-06-2016 08:04 AM
We are trying to check to ensure that SCCM has no updates and that their internal AV meets certain specifications.
For non-corporate devices, we want to simply check for current AV and possibly run a scan of the system.
Darrin Good, CCIE #23586, CISSP #47221
Sr Security Architect
2264 S Bonito Way, Suite 150
Meridian, ID 83642
(208) 488-7221 – Work
(208) 794-9938 – Mobile
dgood@Compunet.biz
12-10-2016 12:48 PM
It is possible to have ASA perform auth using machine cert and then have secondary user auth to ISE. You could also leverage AnyConnect with ACIDEX to transmit the MAC or UDI and compare to value in AD/LDAP. Posture checks could also validate registry breadcrumbs that indicates corp device. It has been a while ssince I checked logic but it may be possible to combine the checks so that user is compliant if breadcrumbs condition AND AV-Policy-1 is met OR no breadcrumbs and AV-Policy-2 is met.
Craig
10-26-2017 07:58 AM
Hi, did you succeeded to separate corp and not corp device for posture? Could you share how do you solved that?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide