Solved: Re: Secure Client/AnyConnect posture, local certificate option?

Jack G · ‎04-13-2023

Per the documentation, what can be local certificate be used for? Can it be used to ensure the machine connecting to the VPN is a member of the domain or is there a better way to go about that? Don't have an ISE deployment. I can't seem to find additional configuration details about the certificate options.

Cisco Secure Client (including AnyConnect) Administrator Guide, Release 5 - Configure Posture [Cisco Secure Client (including AnyConnect)] - Cisco

In contrast, Secure Firewall Posture performs server-side evaluation where the Secure Firewall ASA asks only for a list of endpoint attributes (such as operating system, IP address, registry entries, local certificates, and filenames), and they are returned by Secure Firewall Posture. Based on the result of the policy’s evaluation, you can control which hosts are allowed to create a remote access connection to the security appliance.

Rob Ingram · ‎04-13-2023

I am not sure you can use posture to check the certificate. As mentioned before, you could do a registry check to determine if joined to the AD domain.

View solution in original post

Rob Ingram · ‎04-13-2023

@Jack G yes you can use certificate authentication to ensure the device connecting to the VPN is a corporate asset, assuming the device's certificate was issued from your AD via GPO, this joined to your AD domain.

You don't need ISE for authentication or posture checking, you can use posturing checking directly on the ASA using hostscan. The hostscan can check registry settings which can also determine AD domain membership.

Jack G · ‎04-13-2023

Understood, but they already use username and password for primary authentication as well as Duo MFA for secondary. Can posture be used to check and ensure the machine certificate was used by the domain before it allows the connection?

Rob Ingram · ‎04-13-2023

I am not sure you can use posture to check the certificate. As mentioned before, you could do a registry check to determine if joined to the AD domain.

dvizzle · ‎06-06-2024

How can you do this through ASDM?

There doesn't seem to be much if any documentation for doing it this way.

Gustavo Medina · ‎04-13-2023

Long time ago we had pre-login policies as part of Cisco Secure Desktop (CSD) where we could check for a machine certificate pre-authentication and then authenticate with a user certificate but CSD was deprecated due to security concerns including cache cleaner, secure vault and pre-login policies.
However, we added Multiple Certificate Authentication support which gives the ability to have the ASA validate the machine or device certificate, to ensure the device is a corporate-issued device, in addition to authenticating the user’s identity certificate to allow VPN access. https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client-v4x/212483-configure-asa-as-the-ssl-gateway-for-any.html

If you used Multiple Certificate Authentication then those certificates would could be sent to DAP for further authorization, this was only supported with MCA but after 9.18 we also added the ability to send the certificate to DAP even if using single certificate.
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvv50265

tvotna · ‎04-14-2023

I could never understand this enhancement request, because certificate information is passed to DAP in case of single cert auth in older versions too. It's shown in "debug dap trace". For Windows client one can use, for example:

assert(function()
for k,v in pairs(endpoint.certificate.user) do
if (v.subject_store == "capi_machine" and v_issuer_cn == "...") then
return true
end
end
return false
end)()

The problem however is that hostscan looks through all certificates in both machine and user store (up to a certain limit, in my tests it was 13 certs or so) and not a single certificate which was used during SSL client authentication phase. This makes the feature useless in many scenarios.

Gustavo Medina · ‎04-17-2023

The ENH was to add support to DAP directly without LUA.