I am trying to devise a solution to block non company computers from connecting to our Anyconnect VPN. I am thinking about using a self-singed certificate using Dynamic Access policy for this purpose. I have installed Host Scan image 4.9, created and self signed a certificate using my Cisco ASA, exported and imported it into a computer "Trusted Root Certification Authorities" location. How should I develop my DAP to be able to block any computer which does not have the aforementioned certificate installed?
I am thinking to work with the registry value that the installed certificate adds to the computer registry if there is no solution to compare the certificate against Certificate option in Dynamic Access Policies but prefer to use the option available.
If using certificate authentication the connecting computer would need a certificate issued by the ASA. Certificate distribution should be controlled, so no one without your company laptop should have a certificate that they can install on a non-company laptop.
Generally when using DAP you can identify a corporate asset to check the registry for the domain value.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Domain Value=domain.name (your company domain name). If the computer connected to the VPN is not joined to your AD domain then they will not be able to connect.
In our case, certificate is the perfect solution since not all the computers are necessarily joined to domain and besides in different windows versions, there are different registry paths.
I generated a certificate with a Private Key by ASA and imported it into my computer cert stores (Trusted Root, Trusted Publishers) in both Machine and User stores but unfortunately it did not let me establish VPN. Here is "debug dap trace" output.
The Cisco Secure Firewall and SecureX teams are looking for feedback from active Secure Firewall users who may or may not have already activated SecureX. Your responses will help us improve the Firepower experience in SecureX. Th...
Related documentsCisco ISE (Identity Services Engine) IPv6 features by release2.6ISE ManagementNetwork Time Protocol SupportDomain Name System SupportExternal RepositoriesAudit Logs and ReportsSimple Network Management ProtocolAccess Control Lists And Dyn...
Site to Site IPSec VPN with Dynamic IP Endpoint is typically used when we have a branch sites which obtains a dynamic public IP from the Internet ISP. For example an ADSL connection.One important note is that Site-to-Site VPN with Dynamic remote routers P...
On R1, configure a key ring that defines the peer R3:Address: 220.127.116.11Local and remote pre-shared key: cisco R1(config)#crypto ikev2 keyring KRR1(config-ikev2-keyring)# peer R3R1(config-ikev2-keyring-peer)# address 18.104.22.168R1(config-ikev2-keyring-pee...