Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4159
Views
0
Helpful
4
Replies

Machine Authentication Using ASA VPN w/ ISE

Go to solution
DARRIN GOOD
Level 1
Level 1

‎12-05-2016 08:38 AM

I am working on an ISE / VPN project.  The customer would like to apply different posture policies depending on whether the device is / isn’t a corporate device.

I have Authentication, Authorization, and Posture working well.  I just cannot separate the posture decisions.

We are authenticating the individual users using AD and Duo as a secondary authentication source.

I have talked to TAC and have been told that since I am not authenticating the device, I cannot use any of the device's information in my authorization or posturing rules.  I also cannot use AD for profiling as I cam not authenticating the device.

However, another TAC engineer said we can do it but he has not been able to recommend a way to do it.  We have APEX and PLUS licensing for ISE as well as AnyConnect.  I do not want to use DAP or CSD, but will if I have to.  We also have the ability to add machine certificates to the corporate devices.

The only information I have found for authenticating Machine certificates through a VPN session talks about using the ASA to authenticate the certificate.  Can we authenticate the machine and user information through an ASA VPN session utilizing ISE?

Thank you.

1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Craig Hyps
Level 10
Level 10
In response to DARRIN GOOD

‎12-10-2016 12:48 PM

It is possible to have ASA perform auth using machine cert and then have secondary user  auth to ISE.  You could also leverage AnyConnect with ACIDEX to transmit the MAC or UDI and compare to value in AD/LDAP.  Posture checks could also validate registry breadcrumbs that indicates corp device.  It has been a while ssince I checked logic but it may be possible to combine the checks so that user is compliant if breadcrumbs condition AND AV-Policy-1 is met OR no breadcrumbs and AV-Policy-2 is met.

Craig

View solution in original post

0 Helpful
4 Replies 4

Go to solution
howon
Cisco Employee
Cisco Employee

‎12-06-2016 07:36 AM

I don't believe there is a simple way to achieve this. Just curious, what kind of policy are planning to enforce on corp. device vs. personal device?

0 Helpful

Go to solution
DARRIN GOOD
Level 1
Level 1
In response to howon

‎12-06-2016 08:04 AM

We are trying to check to ensure that SCCM has no updates and that their internal AV meets certain specifications.

For non-corporate devices, we want to simply check for current AV and possibly run a scan of the system.

Darrin Good, CCIE #23586, CISSP #47221

Sr Security Architect

2264 S Bonito Way, Suite 150

Meridian, ID 83642

(208) 488-7221 – Work

(208) 794-9938 – Mobile

dgood@Compunet.biz

Preview file
16 KB
0 Helpful

Go to solution
Craig Hyps
Level 10
Level 10
In response to DARRIN GOOD

‎12-10-2016 12:48 PM

It is possible to have ASA perform auth using machine cert and then have secondary user  auth to ISE.  You could also leverage AnyConnect with ACIDEX to transmit the MAC or UDI and compare to value in AD/LDAP.  Posture checks could also validate registry breadcrumbs that indicates corp device.  It has been a while ssince I checked logic but it may be possible to combine the checks so that user is compliant if breadcrumbs condition AND AV-Policy-1 is met OR no breadcrumbs and AV-Policy-2 is met.

Craig

0 Helpful

Go to solution
csco11845607
Level 1
Level 1

‎10-26-2017 07:58 AM

Hi, did you succeeded to separate corp and not corp device for posture? Could you share how do you solved that?

0 Helpful
Customers Also Viewed These Support Documents