07-24-2019 08:41 AM - edited 02-21-2020 09:20 AM
I'm looking for a way to create a kind of quarantine for remote vpn users on the ASA.
The goal is the following:
1. End user opens any connect and connects to the ASA.
2. VPN uses the the machine certificate to do initial authentication.
3. If the machine cert is valid, the user is put in a quarantine/limited access network. If invalid than no connection allowed.
4. After the user is in the quarantine network, the user is prompted for RSA credentials or Redirected to Web RSA credential prompt.
5. If the user authenticates successfully via RSA, they get full access. If RSA isn't authenticated successfully, they stay in the quarantine/limited access network.
We currently have it setup for machine and RSA authentication but if either is failed the connection is denied altogether which we don't want. We want to separate the 2 authentications and allow the user to get limited access as long as the machine cert is valid. We have ISE but it's not currently doing the authentication but maybe that would help us accomplish this.
Anybody have any suggestions or thoughts?
Solved! Go to Solution.
07-30-2019 05:53 AM
07-24-2019 09:57 AM
07-30-2019 04:30 AM
Thank You RJI. I don't think this will work for what we are trying to accomplish. What about a DAP?
Is it possible to assign tunnel groups based on a dynamic access policy?
07-30-2019 05:25 AM
07-30-2019 05:44 AM
Yes I want the authentication to be passed using the machine certificate. We can use the always on vpn to ensure that it's always authenticated, but I don't want the system to have full access while the always on vpn is on until the user logs on and authenticates via rsa. Atleast if the always on vpn is connected and the machine is on a network, it can continue to get updates and policies.
07-30-2019 05:53 AM
07-30-2019 05:55 AM
This sounds like what I'm looking for. I'm not familiar with the management tunnel so I will have to do some more research and test it out.
Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide