04-13-2023 12:16 PM
Per the documentation, what can be local certificate be used for? Can it be used to ensure the machine connecting to the VPN is a member of the domain or is there a better way to go about that? Don't have an ISE deployment. I can't seem to find additional configuration details about the certificate options.
In contrast, Secure Firewall Posture performs server-side evaluation where the Secure Firewall ASA asks only for a list of endpoint attributes (such as operating system, IP address, registry entries, local certificates, and filenames), and they are returned by Secure Firewall Posture. Based on the result of the policy’s evaluation, you can control which hosts are allowed to create a remote access connection to the security appliance.
Solved! Go to Solution.
04-13-2023 01:27 PM
I am not sure you can use posture to check the certificate. As mentioned before, you could do a registry check to determine if joined to the AD domain.
04-13-2023 12:39 PM - edited 04-13-2023 12:47 PM
@Jack G yes you can use certificate authentication to ensure the device connecting to the VPN is a corporate asset, assuming the device's certificate was issued from your AD via GPO, this joined to your AD domain.
You don't need ISE for authentication or posture checking, you can use posturing checking directly on the ASA using hostscan. The hostscan can check registry settings which can also determine AD domain membership.
04-13-2023 12:47 PM
Understood, but they already use username and password for primary authentication as well as Duo MFA for secondary. Can posture be used to check and ensure the machine certificate was used by the domain before it allows the connection?
04-13-2023 01:27 PM
I am not sure you can use posture to check the certificate. As mentioned before, you could do a registry check to determine if joined to the AD domain.
06-06-2024 06:53 AM
How can you do this through ASDM?
There doesn't seem to be much if any documentation for doing it this way.
04-13-2023 02:17 PM
Long time ago we had pre-login policies as part of Cisco Secure Desktop (CSD) where we could check for a machine certificate pre-authentication and then authenticate with a user certificate but CSD was deprecated due to security concerns including cache cleaner, secure vault and pre-login policies.
However, we added Multiple Certificate Authentication support which gives the ability to have the ASA validate the machine or device certificate, to ensure the device is a corporate-issued device, in addition to authenticating the user’s identity certificate to allow VPN access. https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client-v4x/212483-configure-asa-as-the-ssl-gateway-for-any.html
If you used Multiple Certificate Authentication then those certificates would could be sent to DAP for further authorization, this was only supported with MCA but after 9.18 we also added the ability to send the certificate to DAP even if using single certificate.
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvv50265
04-14-2023 07:47 AM
I could never understand this enhancement request, because certificate information is passed to DAP in case of single cert auth in older versions too. It's shown in "debug dap trace". For Windows client one can use, for example:
assert(function()
for k,v in pairs(endpoint.certificate.user) do
if (v.subject_store == "capi_machine" and v_issuer_cn == "...") then
return true
end
end
return false
end)()
The problem however is that hostscan looks through all certificates in both machine and user store (up to a certain limit, in my tests it was 13 certs or so) and not a single certificate which was used during SSL client authentication phase. This makes the feature useless in many scenarios.
04-17-2023 07:49 PM
The ENH was to add support to DAP directly without LUA.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide