Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2559
Views
5
Helpful
10
Replies

Non AD users using Anyconnect and ISE

Go to solution
Asfandyar70754
Level 1
Level 1

‎06-29-2021 10:14 PM

Hi guys

 
We have some third party employees that VPN using Anyconnect on 5525-x asa.

The thing is that they are not part of our AD. We want to deploy ISE in our network and we are looking to authenticate/authorize users using ISE instead of Asa.

Usually non AD users can Anyconnect using any laptop they want, but we are thinking to limit this, we want these non AD users to connect via Anyconnect using only company assigned laptops. Is there some way we can do this, maybe is there any feature in Posturing?

Would really appreciate if you guys can help me out here.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Asfandyar70754

‎06-30-2021 06:06 AM

You can check both machine and user attributes as part of your authorization condition.

The machine check can be things like presence of a registry key showing the computer is domain-joined or a field in a certificate (for instance the issuing CA) or any number of other checks. Of course the certificate check assumes an enterprise CA is already setup and able to issue certificates to machines.

So the check could be IF machine has key xxx and user is member of ISE local identity group yyy (i.e., NOT AD authentication for the user) then assign an Authorization result that is appropriate for third party employees.

View solution in original post

10 Replies 10

Go to solution
Rob Ingram
VIP
VIP

‎06-30-2021 12:21 AM

@Asfandyar70754 

Use ISE posture (or ASA Dynamic Access Policies) to check for which AD domain the computer is joined to and the corporate issued AV/AM software or other attributes unique to your domain. If the device does not meet these requirements, they can be denied access.

0 Helpful

Go to solution
Asfandyar70754
Level 1
Level 1
In response to Rob Ingram

‎06-30-2021 12:32 AM

Hello Rob

 

Thank you for your reply.

 

Unfortunately the users(3rd part users/contractors) are not in AD, that is the issue.

Can we install some sort of certificate in their devices to ensure that they use only assigned devices?

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to Asfandyar70754

‎06-30-2021 02:21 AM

If you like you can also create 3rd party users in AD, with out any otehr resources access (that is what we do).

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Asfandyar70754
Level 1
Level 1
In response to balaji.bandi

‎06-30-2021 02:32 AM

Hi Balaji,

 

Is this the only solution?

We have number of new contractors every other month we want to avoid the hassle of making users in AD again and again.

TIA

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to Asfandyar70754

‎06-30-2021 04:23 AM

the user not required any Local access ? you can use Local account that is not best ( as your requirement different with many other 3rd parties.)

 

or setup different source for these 3rd party in your area for authentication.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Asfandyar70754

‎06-30-2021 03:27 AM - edited ‎06-30-2021 03:34 AM

@Asfandyar70754 

Fine, you can use the ISE Local Identity Store for the user accounts.....but you are issuing them with AD joined corporate laptop, so why not give them an AD user account?

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Asfandyar70754

‎06-30-2021 06:06 AM

You can check both machine and user attributes as part of your authorization condition.

The machine check can be things like presence of a registry key showing the computer is domain-joined or a field in a certificate (for instance the issuing CA) or any number of other checks. Of course the certificate check assumes an enterprise CA is already setup and able to issue certificates to machines.

So the check could be IF machine has key xxx and user is member of ISE local identity group yyy (i.e., NOT AD authentication for the user) then assign an Authorization result that is appropriate for third party employees.

Go to solution
Asfandyar70754
Level 1
Level 1
In response to Marvin Rhoads

‎06-30-2021 10:13 PM

Hello Marvin

 

Thanks a lot for your response.

Can you please share some document for registering the certificates.

0 Helpful

Go to solution
Asfandyar70754
Level 1
Level 1
In response to Marvin Rhoads

‎07-01-2021 10:28 PM

Hi @Marvin Rhoads 

 

Thank you for your response. Your response seems most viable.

Can you please share some document to register certificates.

TIA

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents