Solved: Posture for VPN Users

scamarda · ‎01-10-2020

Looking for creative ideas. I have a customer with ASA/AnyConnect/Hostscan. They are looking for ISE to replace Hostscan. With Host Scan, the customer has one tunnel-group with two types of users connecting. 1) Corp User with Corp Device, 2) Corp User with Personal Device. They also check for AV. Authentication is done via username/password. Customer not interested in Cert Auth. This all works but client ends up in a non compliant state and is indicated this in the AnyConnect client status.

With ISE and password auth, to check for Corp Device, I have to do via Posture since I don't believe I anything else to identify if it as a Corp asset in the authentication/authorization part. I know I can manipulate MAC address but that is not scalable for the customer. I can do this via Tunnel Group isolation but the customer is not wanting to have multiple tunnel groups. Hostscan is able to combine the corp asset registry check in as part of the session initiation.

I could use device name but I don't see that as a visible attribute in the live log summary.Are there any other ways to validate corp asset status in the Authorization phase?

Mike.Cifelli · ‎01-13-2020

What about separating the two and setting up separate Posture policy checks for each use case? You can accomplish this via referencing the tunnel-group name under Other Conditions. Then identify what checks you wish to perform for each use case. Doing it this way you should be able to avoid a corp user with personal device seeing 'non-compliant'. HTH!

View solution in original post

Mike.Cifelli · ‎01-10-2020

IMO you have a couple of options:
1- Add a profiled endpoint L2 group in your authz condition that is a bucket for corporate assets based on several conditions of your choice. The one of interest for this topic would be the AD-Host-Exists:EQUALS=true; Downside with this is the customer will need plus licenses on top of the base since you would be pushing authz policy based on profiled groups.
2- Rely on posture module and checks to scan registry to ensure host is a member of your domain. Check for reg key:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\MachineDomain <yourdomain>

scamarda · ‎01-12-2020

Thanks for the reply.

For option 1 - That will not work because the user is coming in via VPN. I can only check user, cannot check machine.

For option 2 - I can use posture to validate, but personal machines not connected to the domain will fail the check, thus get 'Not Compliant" status. I know that Not Compliant access can be anything I want it to be but the AnyConnect Posture Status will show "Not Compliant". That will prob cause user confusion and be a management hassle.

Mike.Cifelli · ‎01-13-2020

What about separating the two and setting up separate Posture policy checks for each use case? You can accomplish this via referencing the tunnel-group name under Other Conditions. Then identify what checks you wish to perform for each use case. Doing it this way you should be able to avoid a corp user with personal device seeing 'non-compliant'. HTH!

scamarda · ‎01-14-2020

Hi Mike thanks for the responses. That's how we are going to have to proceed. Different tunnel groups are the best way to solve this. Thanks again.

Sam