Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4736
Views
65
Helpful
4
Replies

Restrict VPN connection to authorized devices

Go to solution
anxo.darosa
Level 1
Level 1

‎03-05-2022 03:16 AM

Hello

We have 2 Cisco ISE, who do the authentication.

One Cisco ISE is the master, and the other is the backup.

In our current topology, we use Cisco Anyconnect to connect to the VPN with the AD user.

Now, I can connect to the vpn with any computer, and there are some users who connect to the VPN through their personal computers and leave the data on their personal computers.

I would like to know if it is possible to restrict the VPN connection only for the authorized devices, that is, that only corporative computer can connect to the VPN, the others no.

I do not if it would be possible through certificates.

1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎03-05-2022 03:48 AM

@anxo.darosa if you have the ISE licensing you can perform a posture scan and determine if the computer is connected to your AD domain.

 

Alternatively you can use multple authentication AAA + certificate, where the certificate is issued by your internal CA. Only your trusted devices would have your certificates.

View solution in original post

4 Replies 4

Go to solution
Rob Ingram
VIP
VIP

‎03-05-2022 03:48 AM

@anxo.darosa if you have the ISE licensing you can perform a posture scan and determine if the computer is connected to your AD domain.

 

Alternatively you can use multple authentication AAA + certificate, where the certificate is issued by your internal CA. Only your trusted devices would have your certificates.

Go to solution
anxo.darosa
Level 1
Level 1
In response to Rob Ingram

‎03-09-2022 05:39 AM

@Rob Ingram Thank for your answer.

When you say "if you have the ISE licensing you can perform a posture scan and determine if the computer is connected to your AD domain."

Do you refer os this? Snapshot_1

Because i can't see the computers'name. I have a message "License is out of compliance".

If you don't talk about this, what is the procedure what you are talking about?

 

Do you have the guide to do this task?

"Alternatively you can use multple authentication AAA + certificate, where the certificate is issued by your internal CA. Only your trusted devices would have your certificates."

 

Thank so much.

Preview file
199 KB

Go to solution
Rob Ingram
VIP
VIP
In response to anxo.darosa

‎03-09-2022 05:49 AM

@anxo.darosa I cannot tell from that screenshot what the licensing issue is. I was referring to the posture license entitlement, which is available in 3.x with the premier license

https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/qa-c67-744190.html

 

I don't have a guide, but essentially you'd configure you tunnel-group for both aaa and certificate.

 

tunnel-group RAVPN type ipsec-ra
tunnel-group RAVPN webvpn-attributes
 authentication aaa certificate

The client computer would need a user or computer certificate, which would be issued by a CA (such as Microsoft CA) and trusted by the ASA/FTD.

 

As the certificate is issued by your internal CA, only your domain joined computers can authenticate.

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎03-05-2022 07:19 AM

I would like to know if it is possible to restrict the VPN connection only for the authorized devices, that is, that only corporative computer can connect to the VPN, the others no.

-Adding additional food for thought:

--You can also look into context visibility to determine if there are unique conditions you could potentially utilize in your authz policies that would identify domain devices vs. non-domain devices.  There may be something you could quickly target that way which may be less complex and a fast fix.  However, the better options would be the ones shared by @Rob Ingram .  Certificate based is more secure and guaranteed to ensure that the trusted domain devices are using VPN.  ISE Posturing would provide many options to determine if clients connecting are indeed domain clients, but this solution is complex and it requires several things; see here: https://community.cisco.com/t5/security-documents/ise-posture-prescriptive-deployment-guide/ta-p/3680273

-and there are some users who connect to the VPN through their personal computers and leave the data on their personal computers.

--Since you are using AnyConnect how are users getting the software and respective VPN profile to their personal client? IMO this would require user education on where profiles are located, how to get the software that your headend supports from a version perspective, etc.  I wonder if you could build out a new tunnel group/group policy specifically for domain clients.  Then work on migrating to it while figuring out/testing options to restrict non-domain clients.

Customers Also Viewed These Support Documents