Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1632
Views
0
Helpful
3
Replies

Certificates in Dynamic Access Policy

ramin.zamani
Level 1
Level 1

‎12-08-2020 09:31 AM

Hello everyone,

 

I am trying to devise a solution to block non company computers from connecting to our Anyconnect VPN. I am thinking about using a self-singed certificate using Dynamic Access policy for this purpose. I have installed Host Scan image 4.9, created and self signed a certificate using my Cisco ASA, exported and imported it into a computer "Trusted Root Certification Authorities" location. How should I develop my DAP to be able to block any computer which does not have the aforementioned certificate installed?

Any help is greatly appreciated.

Thanks,

Ramin

1 person had this problem
0 Helpful
3 Replies 3

ramin.zamani
Level 1
Level 1

‎04-21-2021 09:56 AM

Anybody having any idea how to get this to work?

I am thinking to work with the registry value that the installed certificate adds to the computer registry if there is no solution to compare the certificate against Certificate option in Dynamic Access Policies but prefer to use the option available.

Any help is appreciated.

Ramin

0 Helpful

Rob Ingram
VIP
VIP
In response to ramin.zamani

‎04-21-2021 10:15 AM

@ramin.zamani 

If using certificate authentication the connecting computer would need a certificate issued by the ASA. Certificate distribution should be controlled, so no one without your company laptop should have a certificate that they can install on a non-company laptop.

 

Generally when using DAP you can identify a corporate asset to check the registry for the domain value.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Domain Value=domain.name (your company domain name). If the computer connected to the VPN is not joined to your AD domain then they will not be able to connect.

 

HTH

0 Helpful

ramin.zamani
Level 1
Level 1
In response to Rob Ingram

‎04-26-2021 03:49 PM

Hello Rob,

In our case, certificate is the perfect solution since not all the computers are necessarily joined to domain and besides in different windows versions, there are different registry paths.

I generated a certificate with a Private Key by ASA and imported it into my computer cert stores (Trusted Root, Trusted Publishers) in both Machine and User stores but unfortunately it did not let me establish VPN. Here is "debug dap trace" output.

 

AnyconnectIssue-1.png

 

Also you can see my DAP configuration below.

 

AnyconnectIssue-2.png  

 

Thanks for your help.

Ramin

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card