Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
11947
Views
5
Helpful
5
Replies

Allow only AD joined computers to attach to AnyConnect VPN

Go to solution
Phillip Simonds
Level 1
Level 1

‎03-30-2017 10:19 AM - edited ‎02-21-2020 09:13 PM

I have a customer who wants to provision a policy so that only domain joined computers (e.g. company owned laptops) can attach to VPN. We've talked about using certificates, but they don't want the added complexity, and they're also nervous about tech savvy employees exporting the local host's cert and importing it onto another computer in order to get around the restriction.

I'm wondering if it's possible to have the ASA pass a RADIUS attribute that includes the computer's OU through the firewall and add a policy in Microsoft NPS that will only send a radius-accept message if the user both authenticates/is in a certain group, and the computer's OU (not the user's) matches a certain group. This would in effect allow only domain-joined computers to log into VPN.

If not, I'm curious if there are other ideas on how to accomplish? We could use ISE/ AC ISE Posture Module, but they don't have those currently. Purchase and deployment of those products is not off the table, but we'd like to work with what we have if it's possible.

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Shakti Kumar
Cisco Employee
Cisco Employee

‎03-30-2017 10:43 AM

Hello 

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Shakti Kumar
Cisco Employee
Cisco Employee

‎03-30-2017 10:43 AM

Hello 

0 Helpful

Go to solution
Phillip Simonds
Level 1
Level 1
In response to Shakti Kumar

‎03-30-2017 10:54 AM

Shakti, thanks for the info.

This looks like it requires CSD to scan the host for that domain registry key. I believe CSD is EoS/EoL and replaced by ISE Posture Assessment - but I could be wrong - starting to get out of my depth in this product line.

If I'm incorrect on that point, is CSD automatically pushed down with the AnyConnect client? And is any additional licensing required to have it scan the host for a registry key? The customer is using PLUS licensing for the AnyConnect client.

Thanks in advance.

0 Helpful

Go to solution
Shakti Kumar
Cisco Employee
Cisco Employee
In response to Phillip Simonds

‎04-02-2017 08:55 PM

Hi Phillip Simonds,

Posture assessment isn't EOL feature, only the pre-login component of posture assessment is EOL'd . Anyconnect PLUS license does have this feature.

Thanks

Shakti

Go to solution
Phillip Simonds
Level 1
Level 1
In response to Shakti Kumar

‎04-03-2017 10:25 AM

Thanks Shakti! I really appreciate it.

0 Helpful

Go to solution
Srikanth-Tanubudhu
Level 1
Level 1
In response to Shakti Kumar

‎04-13-2017 07:16 AM

Hi Shakti,
Could you please help out on this.
We done the below changes in ASA,
Enabled hostscan, configured registry scan with domain.
Created new dap policy, and given ACL priority.
We selected User has ANY of the following AAA attribute values in selection criteria.
Added the end point ID with resgistry and selected option type sting and given domain name.
Action--> Continue.
We have tested with new DAP policy from test  tunnel. As checked in Debug output Domain machine is accessing through new DAP policy ‘Domain’ and non-domain machine is accessing through ‘default access policy’. 
 
  •     During testing, we unable see anyconnect login prompt if we apply the command without-csd in tunnel-group
  •     Test is passed after disabling without csd  command form tunnel-group.
  •       As per yesterday test, the action item is continue on default and new DAP policies and we see the vpn connectivity is working fine. Domain machine is working on new dap policy and non-domain machine working on default dap policy as per debug output. And also we tested with Duo security for secondary authentication which is success.
  • As per our previous down time test, Same changes applied and we terminate the action in default access policy and the result is the production and test tunnels stopped working.
The next step, how to block non-domain machine. Could you please help out.
Thank You!!
0 Helpful
Customers Also Viewed These Support Documents