Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
883
Views
0
Helpful
2
Replies

Cisco ISE || How to identify third party machines?

Ahmed Mukhtar
Level 1
Level 1

‎06-29-2021 12:40 AM

Hi Experts!

Please help me out on the following requirement. Thanks in advance!

 

BACKGROUND

We have some third party contractors that remote-VPN via Anyconnect on our 5525-x firewall. They are NOT part of our Active Directory. We are deploying ISE in our environment & will be using it for authentication & authorization.

 

QUERY

These NON-Active Directory contractors can Anyconnect via any device or any machine they want. We need to limit them & allow only specific machines. Is there any way we could insert a certificate or something on their machine so that we only authorize those machines?

 

Any ideas will be appreciated.

 

0 Helpful
2 Replies 2

Rob Ingram
VIP
VIP

‎06-29-2021 12:48 AM

Hi @Ahmed Mukhtar 

You could generate a computer certificate, give the certificate to install into their computer certificate store. When they connect to the ASA, the ASA (not ISE) would authenticate the users only with a valid certificate + if using username/password as well, ISE would authenticate those credentials (just not the certificate).

0 Helpful

Ahmed Mukhtar
Level 1
Level 1
In response to Rob Ingram

‎06-29-2021 12:55 AM

Hi Rob! thanks for the quick reply.

If I have 50 computers then can the same computer certificate be installed on all of them?

If so then the contractor can easily install that certificate to another device & login from there right?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card