08-11-2012 12:52 PM - edited 02-21-2020 06:15 PM
Hi folks,
We are rolling out a new VPN infrastructure utilizing ASA 5520's (one active/standby cluster at each of our two sites) and making the conversion from the old IPsec client over to AnyConnect 2.5 clients. We do have AnyConnect Premium licenses at both sites, but are not utilizing ISE. What we want to do is first auth the machine that's trying to initiate the AC VPN session to determine if it a company-owned machine (with the idea that only co-owned machines can connect), and then auth the user using RADIUS, which uses attribute 25 to assign them into groups for policy application. We have the RADIUS piece working now, but is there a way to first do the machine auth, and then the user auth? We don't just want to use something like cert-based VPN because if the machine gets stolen (or a non-co user otherwise gets into the OS) then we don't want the non-legit user to be able to establish a VPN session just because they have access to a company machine. The other rub is that the machine auth solution must be cross-OS compatible (we use a mix of Windows, MacOS and Linux on the machines that should be allowed to VPN.) Thanks in advance for any pointers to documentation or other info you can provide...
Sent from Cisco Technical Support iPad App
08-11-2012 03:36 PM
The typical way to achieve that is using certificate-based authentication and AAA. It can be used in combination.
Sent from Cisco Technical Support iPad App
08-11-2012 04:31 PM
Thanks for letting me know this is possible... Any pointers to docs/HOWTOs?
Sent from Cisco Technical Support iPad App
08-11-2012 10:33 PM
Dennis,
You can also use dynamic access policies using host scan. I helped deploy a solution where we would look for the domain value in the machine's registry to verify that it was a member of the enterprise domain before presenting the login page.
The customer didnt have a pki infrastructure and wasnt too interested in setting one up either.
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/vpn_hostscan.html
Thanks,
Tarik Admani
*Please rate helpful posts*
08-11-2012 11:17 PM
Very good point that I forgot to mention.
But when planning for a DAP-deployment, keep in mind that for some checks the Advanced Host Accessment license is needed. But the cost of that license are peanuts compared to Anyconnect Premium.
Sent from Cisco Technical Support iPad App
08-12-2012 06:09 AM
Hi Karsten -
I have read that Advanced Host Scan is only needed for remediation and mobile device checking... Hopefully we don't need to buy any more licenses (no matter how inexpensive!)
Sent from Cisco Technical Support iPad App
08-13-2012 02:22 AM
not only for remediation. Also to recognize the operation-system.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
08-12-2012 05:25 AM
Hi Tarik,
I have read that such checks can be done, but unfortunately a Windows-only solution like the one you mentioned won't work for our environment... Looks like we may need to use cert's.
Sent from Cisco Technical Support iPhone App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide