Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1368
Views
0
Helpful
3
Replies

AnyConnect VPN Client DHCP Profiling in ISE to tell Corporate from BYOD

rick505d3
Level 1
Level 1

‎01-14-2019 08:58 PM - edited ‎03-12-2019 04:19 AM

Hi, 

 

I am trying to get the AnyConnet VPN client device's hostname in ISE. DHCP profiling probe is enabled on ISE and works for LAN devices.

 

AnyConnect is 4.6 version. The headend firewall is FTD 2110, 6.2.3. ISE is running 2.4 patch 5.

 

The VPN client gets an IP address via DHCP. The DHCP server (Windows) shows the active lease and displays the client's hostname correctly. ISE is also configured as a 3rd DHCP server on FTD for profiling purposes. However, the ISE DHCP profiling of AnyConnect clients is not working as ISE sees the DHCP request coming from the FTD's MAC address - confirmed on ISE through tcpdump capture. ISE create a new Endpoint record for the FTD's MAC address and shows the client's hostname under it. When a new client connects, ISE updates the FTD Endpoint MAC to that client's hostname. The actual client's MAC address also gets created as Endpoint in ISE but misses all the DHCP related profiling info, most importantly for me, the host-name attribute.

 

My question is if there is a command to tell the FTD to send the original client's MAC address in the DHCP discover message instead? 

 

 

I need the above as a guestimate to tell apart Corporate from BYOD VPN devices. The customer doesn't have CA deployment so can't identify corporate devices through certificates. My intention is to use ISE AD Profiling Probe to assess that a device really is a corporate asset. AD Profiling Probe relies on hostname of the device to validate AD join status. I can't use DNS based probing as there is no DDNS setup on the central DHCP/DNS servers for VPN clients. ISE Posture could be an option (check for certain registry key for AD join) but even the latest FTD code 6.3 doesn't seem to support ISE Posture. Any other way we can identify VPN corporate from VPN BYOD devices?

 

Regards, 

Rick.

Labels:
0 Helpful
3 Replies 3

Mohammed al Baqari
Level 11
Level 11

‎01-14-2019 09:39 PM

I don't think you can do much in FTD. If it is ASA, I would advice to go
for ISE authorization for VPN connections which will help to profile using
Radius attributes. From Radius attributes you will get the correct mac
address of the endpoint and map it to AD using hostname which will achieve
what you are looking for. I am using it and working perfectly.

The problem with FTD that it doesn't support CoA yet which makes ISE
authorization for FTD anyconnect no possible yet. Hence, I stayed with ASA
and FP service module instead of FTD for VPN headend.
0 Helpful

rick505d3
Level 1
Level 1
In response to Mohammed al Baqari

‎01-14-2019 09:51 PM

Thanks Muhammed, 

 

Firepower 6.3 does seem to support CoA - https://www.cisco.com/c/en/us/td/docs/security/firepower/630/configuration/guide/fpmc-config-guide-v63/firepower_threat_defense_remote_access_vpns.html#id_RADIUS_CoA  

 

I get the correct MAC address (as a unique Endpoint record in ISE), which shows all relevant RADIUS attributes under it. The issue is it doesn't has any hostname field. So AD prob doesn't work. 

 

Which RADIUS attributes are you using for profiling?

 

Regards, 

Rick. 

0 Helpful

Mohammed al Baqari
Level 11
Level 11
In response to rick505d3

‎01-15-2019 09:55 PM

Hi Rick,

I didn't know that 6.3 is already out. I will be testing the feature with
it. ASA-TLVs are used to send the hostname to NAC which it uses to scan AD.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card