cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1152
Views
20
Helpful
9
Replies
Enthusiast

Machine authorization when connecting via VPN

Hi,

is it possible to create authorization policy on ISE that uses information from machine certificate installed on client laptops?

Users are using anyconnect 4.3. They are authenticated on ASA using user certificates.

Thank you!

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Not at the moment. I am by no

Not at the moment. I am by no means an expert on the topic but I had some discussions with TAC and here is my understanding. EAP is a Layer 2 protocol while the remote user communicates to the ASA via layer 3. Thus, with IKEv1 this is not possible. It appears that IKEv2 utilizes EAP so I am guessing there is some encapsulation that happens behind the scenes. However, the EAP-AnyConnect protocol is not supported by ISE/ACS. 

Here is the exact reply that I got from TAC a while back and from the looks of it nothing has changed with regards to ISE supporting EAP-AnyConnect or AnyConnect supporting EAP :)

The current ASA implementation utilizes the core IKEv2 protocol but it requires the addition of many extensions including a proprietary EAP authentication method, AnyConnect EAP, which is the only authentication method supported. The AnyConnect EAP method serves as a conduit in IKEv2 to carry the new Aggregate Authentication protocol that has been developed for remote-access which streamlines and preserves all of the existing functionality for authenticating the client. This new Aggregate Authentication protocol will be used for both IKEv2 and SSL AnyConnect connections for the new client.

IKEv2 remote-access support is limited to the Cisco AnyConnect client since it uses a proprietary EAP authentication method and therefore, no 3rd party IKEv2 are supported.

Cisco ISE and Cisco ACS do not support EAP-Anyconnect.
Oddly, the IOS implementation of IKEv2 appears to support EAP-GTC, EAP-MD5, EAP-MSCHAPv2 and NOTEAP-Anyconnect.

Now, keep in mind that this is only for the authentication part. You can still configure the authorization to go to ISE, thus, any attributes that you are able to collect during the AAA process you should be able to use with an authorization rule in ISE. 

Thank you for rating helpful posts!

9 REPLIES 9
Cisco Employee

Hi,

Hi,

You can use NAM module on top of AC secure mobility client for machine and user cert using EAP chaining on ISE.


http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_80_eapchaining_deployment.pdf

Regards

Gagan

PS : rate if it helps!!!!

Enthusiast

Thank you both for your

Thank you both for your answers.

Gagan, I've already checked this document about EAP chaining. But the document is about EAP chaining for 802.1x (wired & wireless) and there is no hint for VPN connections. And as Neno also said there is only PAP supported for VPN connections AFAIK.

Is there any other way to use NAM module for VPN connections?

Cisco Employee

Not at the moment. I am by no

Not at the moment. I am by no means an expert on the topic but I had some discussions with TAC and here is my understanding. EAP is a Layer 2 protocol while the remote user communicates to the ASA via layer 3. Thus, with IKEv1 this is not possible. It appears that IKEv2 utilizes EAP so I am guessing there is some encapsulation that happens behind the scenes. However, the EAP-AnyConnect protocol is not supported by ISE/ACS. 

Here is the exact reply that I got from TAC a while back and from the looks of it nothing has changed with regards to ISE supporting EAP-AnyConnect or AnyConnect supporting EAP :)

The current ASA implementation utilizes the core IKEv2 protocol but it requires the addition of many extensions including a proprietary EAP authentication method, AnyConnect EAP, which is the only authentication method supported. The AnyConnect EAP method serves as a conduit in IKEv2 to carry the new Aggregate Authentication protocol that has been developed for remote-access which streamlines and preserves all of the existing functionality for authenticating the client. This new Aggregate Authentication protocol will be used for both IKEv2 and SSL AnyConnect connections for the new client.

IKEv2 remote-access support is limited to the Cisco AnyConnect client since it uses a proprietary EAP authentication method and therefore, no 3rd party IKEv2 are supported.

Cisco ISE and Cisco ACS do not support EAP-Anyconnect.
Oddly, the IOS implementation of IKEv2 appears to support EAP-GTC, EAP-MD5, EAP-MSCHAPv2 and NOTEAP-Anyconnect.

Now, keep in mind that this is only for the authentication part. You can still configure the authorization to go to ISE, thus, any attributes that you are able to collect during the AAA process you should be able to use with an authorization rule in ISE. 

Thank you for rating helpful posts!

Highlighted
Enthusiast

Thank you all!

Thank you all!

Cisco Employee

Hello Jernej-

Hello Jernej-

I don't think this is possible. The certificate based authentication for VPN access is done locally on the ASA and not through ISE. At the moment there isn't an EAP based AnyConnect VPN that is supported by ISE. As a result, the certificate authentication and attributes checking is done on the ASA directly. You can still get the 2nd factor (for instance user authentication) against ISE but that is not done via EAP but PAP-ASCII.

I hope this helps!

Thank you for rating helpful posts!

Contributor

Even if the certificate

Even if the certificate authentication occurs on the ASA the authorization part can be assigned to ISE:

tunnel-group AC-ISE-cert general-attributes
 authorization-server-group ISE-RAD

AnyConnect can pick up a user certificate or a machine certificate.

Contributor

In addition, you have to set

In addition, you have to set this RADIUS server group to authorize-only on ASA.

Contributor

Re: In addition, you have to set

Hi there, so you can basically let the ASA "trust" the certificate (signed by a trusted CA) and then authorise the device/user on ISE by (I assume) extracting the CN and verifying it. As an example, the CN is deviceXYZ so the ASA can strip off deviceXYZ and authorise it via ISE which in turn verifies it exists in AD. Is that correct?

Enthusiast

Re: In addition, you have to set

Thank you for this info. It was the missing piece for getting this to work. I saw many statements to use ISE for authorization only, but this is the first I have seen on how to configure it. I was trying to set authorization only on ISE itself before finding this.

 

FYI... I used this with SAML authentication to Azure instead of certificate, but it worked the same. I was able to use ISE with AD backend to assign group-policy based on user AD group assignment.