I am trying to devise a solution to block non company computers from connecting to our Anyconnect VPN. I am thinking about using a self-singed certificate using Dynamic Access policy for this purpose. I have installed Host Scan image 4.9, created and self signed a certificate using my Cisco ASA, exported and imported it into a computer "Trusted Root Certification Authorities" location. How should I develop my DAP to be able to block any computer which does not have the aforementioned certificate installed?
I am thinking to work with the registry value that the installed certificate adds to the computer registry if there is no solution to compare the certificate against Certificate option in Dynamic Access Policies but prefer to use the option available.
If using certificate authentication the connecting computer would need a certificate issued by the ASA. Certificate distribution should be controlled, so no one without your company laptop should have a certificate that they can install on a non-company laptop.
Generally when using DAP you can identify a corporate asset to check the registry for the domain value.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Domain Value=domain.name (your company domain name). If the computer connected to the VPN is not joined to your AD domain then they will not be able to connect.
In our case, certificate is the perfect solution since not all the computers are necessarily joined to domain and besides in different windows versions, there are different registry paths.
I generated a certificate with a Private Key by ASA and imported it into my computer cert stores (Trusted Root, Trusted Publishers) in both Machine and User stores but unfortunately it did not let me establish VPN. Here is "debug dap trace" output.
Listen: https://smarturl.it/CCRS8E47 Follow us: twitter.com/ciscochampions
Ransomware, fileless malware, and zero-day attacks continue to target organizations around the world. In response, organizations have resorted to deploying a variety of d...
This is a general information page for Cisco Threat Centric (TC-NAC) with ISE
Threat Centric Network Access Control (TC-NAC) feature enables you to create authorization policies based on the threat and vulnerability attributes received from the th...
The 2021 IT Blog Awards, hosted by Cisco, is now open for submissions. Submit your blog, vlog or podcast today. For more information, including category details, the process, past winners and FAQs, check out: https://www.cisco.com/c/en/us/t...
Cisco Secure Endpoint (formerly AMP for Endpoints) will decommission legacy cloud servers, which results in Legacy Windows Connector Versions 3.x/4.x and Mac Connector Version 1.0.x ceasing to ...
IntroductionRequirementsWhat problem does CSDAC solve?CSDAC ComponentsConfiguration CSDAC Login Connector AdaptersCSDAC WorkflowFMC Policy Configuration with Dynamic ObjectsUse Case: Blocking IP address using dynamic object without a policy push