Solved: Re: VPN Quarantine/limited access

RaymondBrown1165 · ‎07-24-2019

I'm looking for a way to create a kind of quarantine for remote vpn users on the ASA.

The goal is the following:

1. End user opens any connect and connects to the ASA.

2. VPN uses the the machine certificate to do initial authentication.

3. If the machine cert is valid, the user is put in a quarantine/limited access network. If invalid than no connection allowed.

4. After the user is in the quarantine network, the user is prompted for RSA credentials or Redirected to Web RSA credential prompt.

5. If the user authenticates successfully via RSA, they get full access. If RSA isn't authenticated successfully, they stay in the quarantine/limited access network.

We currently have it setup for machine and RSA authentication but if either is failed the connection is denied altogether which we don't want. We want to separate the 2 authentications and allow the user to get limited access as long as the machine cert is valid. We have ISE but it's not currently doing the authentication but maybe that would help us accomplish this.

Anybody have any suggestions or thoughts?

Rob Ingram · ‎07-30-2019

I haven't tried this personally, but how about leveraging the AnyConnect Management VPN Tunnel (this require AnyConnect 4.7 and ASA v9.0.1 or later). This establishes a VPN tunnel whenever a user initiated tunnel is disconnected or the device is on a trusted network.

So perhaps use the Mgmt Tunnel with Machine Certificate authentication, giving the required the access you defined. Then allow the user to initate a connection using RSA and if successful allow full access.

HTH

View solution in original post

Rob Ingram · ‎07-24-2019

Hi,
I don't see a way of achieving this exactly the way you want, but...

You could define 2 tunnel-groups. 1 requiring just certificate authentication, if successful grant limited access (via DACL). And another profile requiring certificates and RSA, if successful permit full access. This would be a manual process, with the user selecting the profile when connecting to the VPN.

HTH

RaymondBrown1165 · ‎07-30-2019

Thank You RJI. I don't think this will work for what we are trying to accomplish. What about a DAP?

Is it possible to assign tunnel groups based on a dynamic access policy?

Rob Ingram · ‎07-30-2019

Hi,
Only when performing posture scans can you quarantine and provide limited access based on endpoint security attributes (e.g. AV, FW etc installed and running), but in order to do that you must have successfully authenticated.

It cannot take an action if authentication passes/fails. If user fails authentication no access is granted, so unfortunately I don't see a way to achieve your requirement.

HTH

RaymondBrown1165 · ‎07-30-2019

Yes I want the authentication to be passed using the machine certificate. We can use the always on vpn to ensure that it's always authenticated, but I don't want the system to have full access while the always on vpn is on until the user logs on and authenticates via rsa. Atleast if the always on vpn is connected and the machine is on a network, it can continue to get updates and policies.

Rob Ingram · ‎07-30-2019

I haven't tried this personally, but how about leveraging the AnyConnect Management VPN Tunnel (this require AnyConnect 4.7 and ASA v9.0.1 or later). This establishes a VPN tunnel whenever a user initiated tunnel is disconnected or the device is on a trusted network.

So perhaps use the Mgmt Tunnel with Machine Certificate authentication, giving the required the access you defined. Then allow the user to initate a connection using RSA and if successful allow full access.

HTH

RaymondBrown1165 · ‎07-30-2019

This sounds like what I'm looking for. I'm not familiar with the management tunnel so I will have to do some more research and test it out.

Thanks.