Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4448
Views
25
Helpful
9
Replies

Machine authorization when connecting via VPN

Go to solution
Jernej Vodopivec
Level 4
Level 4

‎12-09-2016 02:01 AM - edited ‎03-11-2019 12:17 AM

Hi,

is it possible to create authorization policy on ISE that uses information from machine certificate installed on client laptops?

Users are using anyconnect 4.3. They are authenticated on ASA using user certificates.

Thank you!

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to Jernej Vodopivec

‎12-10-2016 09:34 PM

Not at the moment. I am by no means an expert on the topic but I had some discussions with TAC and here is my understanding. EAP is a Layer 2 protocol while the remote user communicates to the ASA via layer 3. Thus, with IKEv1 this is not possible. It appears that IKEv2 utilizes EAP so I am guessing there is some encapsulation that happens behind the scenes. However, the EAP-AnyConnect protocol is not supported by ISE/ACS. 

Here is the exact reply that I got from TAC a while back and from the looks of it nothing has changed with regards to ISE supporting EAP-AnyConnect or AnyConnect supporting EAP :)

The current ASA implementation utilizes the core IKEv2 protocol but it requires the addition of many extensions including a proprietary EAP authentication method, AnyConnect EAP, which is the only authentication method supported. The AnyConnect EAP method serves as a conduit in IKEv2 to carry the new Aggregate Authentication protocol that has been developed for remote-access which streamlines and preserves all of the existing functionality for authenticating the client. This new Aggregate Authentication protocol will be used for both IKEv2 and SSL AnyConnect connections for the new client.

IKEv2 remote-access support is limited to the Cisco AnyConnect client since it uses a proprietary EAP authentication method and therefore, no 3rd party IKEv2 are supported.

Cisco ISE and Cisco ACS do not support EAP-Anyconnect.
Oddly, the IOS implementation of IKEv2 appears to support EAP-GTC, EAP-MD5, EAP-MSCHAPv2 and NOTEAP-Anyconnect.

Now, keep in mind that this is only for the authentication part. You can still configure the authorization to go to ISE, thus, any attributes that you are able to collect during the AAA process you should be able to use with an authorization rule in ISE. 

Thank you for rating helpful posts!

View solution in original post

9 Replies 9

Go to solution
Gagandeep Singh
Cisco Employee
Cisco Employee

‎12-09-2016 08:29 AM

Hi,

You can use NAM module on top of AC secure mobility client for machine and user cert using EAP chaining on ISE.


http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_80_eapchaining_deployment.pdf

Regards

Gagan

PS : rate if it helps!!!!

0 Helpful

Go to solution
Jernej Vodopivec
Level 4
Level 4
In response to Gagandeep Singh

‎12-10-2016 02:36 AM

Thank you both for your answers.

Gagan, I've already checked this document about EAP chaining. But the document is about EAP chaining for 802.1x (wired & wireless) and there is no hint for VPN connections. And as Neno also said there is only PAP supported for VPN connections AFAIK.

Is there any other way to use NAM module for VPN connections?

0 Helpful

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to Jernej Vodopivec

‎12-10-2016 09:34 PM

Not at the moment. I am by no means an expert on the topic but I had some discussions with TAC and here is my understanding. EAP is a Layer 2 protocol while the remote user communicates to the ASA via layer 3. Thus, with IKEv1 this is not possible. It appears that IKEv2 utilizes EAP so I am guessing there is some encapsulation that happens behind the scenes. However, the EAP-AnyConnect protocol is not supported by ISE/ACS. 

Here is the exact reply that I got from TAC a while back and from the looks of it nothing has changed with regards to ISE supporting EAP-AnyConnect or AnyConnect supporting EAP :)

The current ASA implementation utilizes the core IKEv2 protocol but it requires the addition of many extensions including a proprietary EAP authentication method, AnyConnect EAP, which is the only authentication method supported. The AnyConnect EAP method serves as a conduit in IKEv2 to carry the new Aggregate Authentication protocol that has been developed for remote-access which streamlines and preserves all of the existing functionality for authenticating the client. This new Aggregate Authentication protocol will be used for both IKEv2 and SSL AnyConnect connections for the new client.

IKEv2 remote-access support is limited to the Cisco AnyConnect client since it uses a proprietary EAP authentication method and therefore, no 3rd party IKEv2 are supported.

Cisco ISE and Cisco ACS do not support EAP-Anyconnect.
Oddly, the IOS implementation of IKEv2 appears to support EAP-GTC, EAP-MD5, EAP-MSCHAPv2 and NOTEAP-Anyconnect.

Now, keep in mind that this is only for the authentication part. You can still configure the authorization to go to ISE, thus, any attributes that you are able to collect during the AAA process you should be able to use with an authorization rule in ISE. 

Thank you for rating helpful posts!

Go to solution
Jernej Vodopivec
Level 4
Level 4
In response to nspasov

‎12-13-2016 01:49 AM

Thank you all!

0 Helpful

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎12-09-2016 11:39 AM

Hello Jernej-

I don't think this is possible. The certificate based authentication for VPN access is done locally on the ASA and not through ISE. At the moment there isn't an EAP based AnyConnect VPN that is supported by ISE. As a result, the certificate authentication and attributes checking is done on the ASA directly. You can still get the 2nd factor (for instance user authentication) against ISE but that is not done via EAP but PAP-ASCII.

I hope this helps!

Thank you for rating helpful posts!

Go to solution
Peter Koltl
Level 7
Level 7

‎12-13-2016 01:51 AM

Even if the certificate authentication occurs on the ASA the authorization part can be assigned to ISE:

tunnel-group AC-ISE-cert general-attributes
 authorization-server-group ISE-RAD

AnyConnect can pick up a user certificate or a machine certificate.

0 Helpful

Go to solution
Peter Koltl
Level 7
Level 7

‎01-15-2017 11:37 AM

In addition, you have to set this RADIUS server group to authorize-only on ASA.

Go to solution
dazza_johnson
Level 5
Level 5
In response to Peter Koltl

‎12-18-2017 03:53 AM

Hi there, so you can basically let the ASA "trust" the certificate (signed by a trusted CA) and then authorise the device/user on ISE by (I assume) extracting the CN and verifying it. As an example, the CN is deviceXYZ so the ASA can strip off deviceXYZ and authorise it via ISE which in turn verifies it exists in AD. Is that correct?

0 Helpful

Go to solution
MARK BAKER
Level 4
Level 4
In response to Peter Koltl

‎03-05-2019 11:58 AM

Thank you for this info. It was the missing piece for getting this to work. I saw many statements to use ISE for authorization only, but this is the first I have seen on how to configure it. I was trying to set authorization only on ISE itself before finding this.

 

FYI... I used this with SAML authentication to Azure instead of certificate, but it worked the same. I was able to use ISE with AD backend to assign group-policy based on user AD group assignment.

Customers Also Viewed These Support Documents