Solved: Allow only AD joined computers to attach to AnyConnect VPN

Phillip Simonds · ‎03-30-2017

I have a customer who wants to provision a policy so that only domain joined computers (e.g. company owned laptops) can attach to VPN. We've talked about using certificates, but they don't want the added complexity, and they're also nervous about tech savvy employees exporting the local host's cert and importing it onto another computer in order to get around the restriction.

I'm wondering if it's possible to have the ASA pass a RADIUS attribute that includes the computer's OU through the firewall and add a policy in Microsoft NPS that will only send a radius-accept message if the user both authenticates/is in a certain group, and the computer's OU (not the user's) matches a certain group. This would in effect allow only domain-joined computers to log into VPN.

If not, I'm curious if there are other ideas on how to accomplish? We could use ISE/ AC ISE Posture Module, but they don't have those currently. Purchase and deployment of those products is not off the table, but we'd like to work with what we have if it's possible.

Shakti Kumar · ‎03-30-2017

Hello Phillip Simonds,

You can use DAP to detect domain computer based on the registry setting. Here is a sample doc

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115947-dap-adv-functions-00.pdf

You should look for "Enforce DAP Based on CSD Host Scan for Domain Registry Key" . Let me know if you have any concerns

Thanks

Shakti

View solution in original post

Shakti Kumar · ‎03-30-2017

Hello Phillip Simonds,

You can use DAP to detect domain computer based on the registry setting. Here is a sample doc

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115947-dap-adv-functions-00.pdf

You should look for "Enforce DAP Based on CSD Host Scan for Domain Registry Key" . Let me know if you have any concerns

Thanks

Shakti

Phillip Simonds · ‎03-30-2017

Shakti, thanks for the info.

This looks like it requires CSD to scan the host for that domain registry key. I believe CSD is EoS/EoL and replaced by ISE Posture Assessment - but I could be wrong - starting to get out of my depth in this product line.

If I'm incorrect on that point, is CSD automatically pushed down with the AnyConnect client? And is any additional licensing required to have it scan the host for a registry key? The customer is using PLUS licensing for the AnyConnect client.

Thanks in advance.

Shakti Kumar · ‎04-02-2017

Hi Phillip Simonds,

Posture assessment isn't EOL feature, only the pre-login component of posture assessment is EOL'd . Anyconnect PLUS license does have this feature.

Thanks

Shakti

Phillip Simonds · ‎04-03-2017

Thanks Shakti! I really appreciate it.

Srikanth-Tanubudhu · ‎04-13-2017

Hi Shakti,

Could you please help out on this.

We done the below changes in ASA,

Enabled hostscan, configured registry scan with domain.

Created new dap policy, and given ACL priority.

We selected User has ANY of the following AAA attribute values in selection criteria.

Added the end point ID with resgistry and selected option type sting and given domain name.

Action--> Continue.

We have tested with new DAP policy from test tunnel. As checked in Debug output Domain machine is accessing through new DAP policy ‘Domain’ and non-domain machine is accessing through ‘default access policy’.

During testing, we unable see anyconnect login prompt if we apply the command without-csd in tunnel-group
Test is passed after disabling without csd command form tunnel-group.
As per yesterday test, the action item is continue on default and new DAP policies and we see the vpn connectivity is working fine. Domain machine is working on new dap policy and non-domain machine working on default dap policy as per debug output. And also we tested with Duo security for secondary authentication which is success.
As per our previous down time test, Same changes applied and we terminate the action in default access policy and the result is the production and test tunnels stopped working.

Allow only AD joined computers to attach to AnyConnect VPN

Hi Shakti,

Could you please help out on this.

We done the below changes in ASA,

Enabled hostscan, configured registry scan with domain.

Created new dap policy, and given ACL priority.

We selected User has ANY of the following AAA attribute values in selection criteria.

Added the end point ID with resgistry and selected option type sting and given domain name.

Action--> Continue.

We have tested with new DAP policy from test tunnel. As checked in Debug output Domain machine is accessing through new DAP policy ‘Domain’ and non-domain machine is accessing through ‘default access policy’.

During testing, we unable see anyconnect login prompt if we apply the command without-csd in tunnel-group

Test is passed after disabling without csd command form tunnel-group.

As per our previous down time test, Same changes applied and we terminate the action in default access policy and the result is the production and test tunnels stopped working.

The next step, how to block non-domain machine. Could you please help out.

Thank You!!