cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

870
Views
0
Helpful
3
Replies
ramin.zamani
Beginner

Certificates in Dynamic Access Policy

Hello everyone,

 

I am trying to devise a solution to block non company computers from connecting to our Anyconnect VPN. I am thinking about using a self-singed certificate using Dynamic Access policy for this purpose. I have installed Host Scan image 4.9, created and self signed a certificate using my Cisco ASA, exported and imported it into a computer "Trusted Root Certification Authorities" location. How should I develop my DAP to be able to block any computer which does not have the aforementioned certificate installed?

Any help is greatly appreciated.

Thanks,

Ramin

3 REPLIES 3
ramin.zamani
Beginner

Anybody having any idea how to get this to work?

I am thinking to work with the registry value that the installed certificate adds to the computer registry if there is no solution to compare the certificate against Certificate option in Dynamic Access Policies but prefer to use the option available.

Any help is appreciated.

Ramin

@ramin.zamani 

If using certificate authentication the connecting computer would need a certificate issued by the ASA. Certificate distribution should be controlled, so no one without your company laptop should have a certificate that they can install on a non-company laptop.

 

Generally when using DAP you can identify a corporate asset to check the registry for the domain value.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Domain Value=domain.name (your company domain name). If the computer connected to the VPN is not joined to your AD domain then they will not be able to connect.

 

HTH

Hello Rob,

In our case, certificate is the perfect solution since not all the computers are necessarily joined to domain and besides in different windows versions, there are different registry paths.

I generated a certificate with a Private Key by ASA and imported it into my computer cert stores (Trusted Root, Trusted Publishers) in both Machine and User stores but unfortunately it did not let me establish VPN. Here is "debug dap trace" output.

 

AnyconnectIssue-1.png

 

Also you can see my DAP configuration below.

 

AnyconnectIssue-2.png  

 

Thanks for your help.

Ramin