Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1717
Views
0
Helpful
2
Replies

AnyConnect + MDM + ISE

kev-matthews
Level 1
Level 1

‎03-18-2016 02:05 AM - edited ‎02-21-2020 08:44 PM

Hi everyone,

We have a use case that's come through to us for implementation and we're struggling a bit and I wondered if anyone else had managed to do this.

Essentially we want to use AnyConnect on a Mobile Device (Specifically an iPad) and deliver AnyConnect and a base profile through the MDM provider (in this case Meraki).  Once the user connects, we issue a certificate to the device from ISE and a new profile from the ASA which allows Cert Based Authentication to occur for on-demand VPN.  Now this all works (so far so good right).  However the difficulty is that we want to be able to ensure that devices connecting to that tunnel group are compliant with MDM policy. As there is nothing stopping anyone from copying the base setting from AnyConnect on a Mobile device and enrolling.  So even if we lock it down to a specific identity group of users, if they copy the settings to a non-corporate device, then they are able to connect and gain access to the network from an unauthorised device.

We've tried setting up an MDM redirect (which works ok if we bring it in over Wireless), but over VPN it just puts us into an MDM compliance loop where it keeps sending us to register with the MDM - it's like ISE isn't able to establish the identity and compliance status of the device.

Has anyone been able to do anything similar and if so how?

Any help would be greatly appreciated!

Kev

Labels:
0 Helpful
2 Replies 2

Marvin Rhoads
Hall of Fame
Hall of Fame

‎03-18-2016 07:18 PM

You should be able to build a "pre-compliance" AuthZ policy that allows the clients to log in  but redirects and restricts them to a landing page on the MDM server registration page. Once they register, their session should be re-authorized and found compliant whereby they are granted Full Network Access.

0 Helpful

kev-matthews
Level 1
Level 1
In response to Marvin Rhoads

‎03-19-2016 02:15 AM

Hi There,

Yes - we've already done this, but the issue is that we get stuck in a compliance loop, so ISE never gets the feedback that the device is compliant.

Essentially the behaviour from the client is thus:

Connects to Cert Based VPN Profile

Opens Web Browser

Traffic is redirected to the MDM portal

MDM Portal redirects to the MDM Provider (Meraki in this case) and starts setup for the device (even though the device is already provisioned with the MDM Provider)

MDM Onboarding Completes with the provider

*No feedback re compliance of the endpoint to ISE*

Open new link on device - it is redirected to the MDM on boarding portal and the whole cycle starts again.

All this works ok over our Wireless Setup, and we get the compliance check completing as expected, but the VPN is the tricky one!

Do we need to setup the MDM Proxy on the ASA?  I'm unable to find anything documentation wise for this feature.

I've attached a screen grab of our AuthZ for reference.

Thanks

Kev

Preview file
42 KB
0 Helpful
Customers Also Viewed These Support Documents