Hi Neon.

I can't show you exactly that at the moment since I did try some thing else before I went home. I made profiling based on if the computer hostname contains 'xx' and if it is a microsoft workstation. Then I made a new authorization policy under the AD one and saw that the computers hit the new policy.

But to my knowledge the client should still hit the AD policy first.

I have some screens from that (some names are in swedish, let me know if you want a translation of those). To me it looks like it hits the wrong Identity Store.

I don't have a screen of the supplicant at the moment. How should it be configured?

Thank you. It seems that I had a knowledge gap on how this works. For some reason I believed that ISE would take the hostname of the computer and check if it excists in AD, without aditional config(.1x) on the host.

When I look in the switch log I see that 802.1x fails and it authenticates the computer on MAB.

Can anyone tell me if this can also be done to VPN clients?

We are using an ASA 5515X for incoming VPN using Anyconnect 3.1.02026 and NAC Agent v4.9.0.47

Would like to be able to restirct access to the network in general, or even specific network devices based on workstation group memebership or non AD member workstation.

(i.e. all corporate assets can come through VPN and get to all network resources based on their department, however, when contrators come through the VPN their systems are not in AD, therefore they can only get to specific systems on the LAN, or we have certain specific users that work from home using their personal system and we only want them to access specific systems on the LAN)

Thanks in advanced,

Hey Dirk

Have you tried in the authz policy, domain group not equal domain computers?

Using a not equal might solve your problem.

Thanks!

If you just want to authenticate VPN users through ISE you can use your existing ISE node but If you want to do CoA for VPN users then you have to use Inline Posture node.

Please have supplicant setting as follows for machine auth.... This can be an issue

How do you get to that 802.1x setting for the VPN?

Not 802.1x settings. You just have to configure ISE as a radius server on VPN for VPN access . And have the poilicies for VPN users in ISE. It will be just normal Radius server and client communication.

But I am trying to get 2 factor authentication going here.

First being the username/password, 2nd being the machine login to the domain

How would I set that up?

Hello Dirk,

You are talking about MAR (Machine Access Restrictions). I think Cisco has introduced 802.1x for ASA in 9.0 IOS.

http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/aaa_trustsec.html

If you just want a simple Radius authentication for VPN users, let me know.

I could be wrong but I don't think EAP type VPNs are supported even in 9.x code

Hello Neno,

I am also not sure but in following doc say that "eap-proxy" command enables EAP which permits the security appliance  to proxy the PPP authentication process to an external RADIUS  authentication server.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/l2tp_ips.html

The ASA only supports the PPP authentications PAP  and Microsoft CHAP, Versions 1 and 2, on the local database. EAP and  CHAP are performed by proxy authentication servers. Therefore, if a  remote user belongs to a tunnel group configured with the

authentication eap-proxy

or

authentication chap

commands, and the ASA is configured to use the local database, that user will not be able to connect.