AnyConnect - can auth a machine and then a user?

Willard Dennis · ‎08-11-2012

Hi folks,

We are rolling out a new VPN infrastructure utilizing ASA 5520's (one active/standby cluster at each of our two sites) and making the conversion from the old IPsec client over to AnyConnect 2.5 clients. We do have AnyConnect Premium licenses at both sites, but are not utilizing ISE. What we want to do is first auth the machine that's trying to initiate the AC VPN session to determine if it a company-owned machine (with the idea that only co-owned machines can connect), and then auth the user using RADIUS, which uses attribute 25 to assign them into groups for policy application. We have the RADIUS piece working now, but is there a way to first do the machine auth, and then the user auth? We don't just want to use something like cert-based VPN because if the machine gets stolen (or a non-co user otherwise gets into the OS) then we don't want the non-legit user to be able to establish a VPN session just because they have access to a company machine. The other rub is that the machine auth solution must be cross-OS compatible (we use a mix of Windows, MacOS and Linux on the machines that should be allowed to VPN.) Thanks in advance for any pointers to documentation or other info you can provide...

Sent from Cisco Technical Support iPad App

Karsten Iwen · ‎08-11-2012

The typical way to achieve that is using certificate-based authentication and AAA. It can be used in combination.

Sent from Cisco Technical Support iPad App

Willard Dennis · ‎08-11-2012

Thanks for letting me know this is possible... Any pointers to docs/HOWTOs?

Sent from Cisco Technical Support iPad App

Tarik Admani · ‎08-11-2012

Dennis,

You can also use dynamic access policies using host scan. I helped deploy a solution where we would look for the domain value in the machine's registry to verify that it was a member of the enterprise domain before presenting the login page.

The customer didnt have a pki infrastructure and wasnt too interested in setting one up either.

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/vpn_hostscan.html

Thanks,

Tarik Admani
*Please rate helpful posts*

Karsten Iwen · ‎08-11-2012

Very good point that I forgot to mention.

But when planning for a DAP-deployment, keep in mind that for some checks the Advanced Host Accessment license is needed. But the cost of that license are peanuts compared to Anyconnect Premium.

Sent from Cisco Technical Support iPad App

Willard Dennis · ‎08-12-2012

Hi Karsten -

I have read that Advanced Host Scan is only needed for remediation and mobile device checking... Hopefully we don't need to buy any more licenses (no matter how inexpensive!)

Sent from Cisco Technical Support iPad App

Karsten Iwen · ‎08-13-2012

not only for remediation. Also to recognize the operation-system.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Willard Dennis · ‎08-12-2012

Hi Tarik,

I have read that such checks can be done, but unfortunately a Windows-only solution like the one you mentioned won't work for our environment... Looks like we may need to use cert's.

Sent from Cisco Technical Support iPhone App