Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
834
Views
0
Helpful
3
Replies

AnyConnect certificate verification can be bypassed

dirk.heilemann
Level 1
Level 1

‎11-18-2015 08:11 AM - edited ‎02-21-2020 08:33 PM

Hi,

I implemented client authentication with a check for machine certificates to ensure that only company devices can connect. This works fine but I ended up in a discussion if we have a weak spot here.

The additional checks for attributes are done by the client and controlled by the xml file containing the profile, this means a user that hasn't the profile or deletes it can circumvent the attribute checks if he goes directly to the gateway.

The question is if the additional certificate verification can be performed on the ASA, like a DAP does for endpoint attributes.

If not other ideas are welcome.

Thanks,

Dirk

P.S. 

It got worse! I thought the issue is more hypothetical because our certificates are marked as not exportable therfore should exist on a company device only. Now I had to learn that the Microsoft CA has a webinterface (https://INTERNALCA/certsrv/). Any authorized user can create a signed user certificate there and transport this to any place in the world. A colleague demonstrated this with Firefox on his company device and openconnect on his (private) Linux notebook. He was able to backup the user certificate from Firefox, convert it with openssl and run openconnect with -c and -k. The ASA accepted this, because no additional check was done! 

This means this solution will fail completly in a place like ours that has technically interested staff. Now I really need help...

Labels:
Preview file
45 KB
0 Helpful
3 Replies 3

rvarelac
Level 7
Level 7

‎11-19-2015 04:17 PM

Hi Dirk,  

On the XML profile you can set up a certificate matching configuration and force the end user computer to only send the requried certificate to the ASA. However this won't avoid someone to get the certificate and authenticate the certificate. 

https://supportforums.cisco.com/document/12550601/anyconnect-xml-settings

What if you use a 3rd factor ( assuming you are using username/password + certificate already) to make more granular this configuration.  With DAP for example you can specifiy only Windows  computers can connect and have the DAP to look in to the computer and grab an specific file or registry key that only the domain computers should have. 

DAP examples

I would also force a policy for the company users in order to restric the  access to the Anyconnec folder on the users computers and definetely keep an eye on the Microsoft CA server in order to avoid further situations. 

hope it helps

-Randy-

0 Helpful

dirk.heilemann
Level 1
Level 1
In response to rvarelac

‎11-20-2015 03:28 AM

Hello Randy,

it's a bit security by obscurity, but might work out because this should not be easy to reverse-engineer for my "creative" colleagues. 

I looked around and HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine might help nailing our Windows systems down. I have to find something similar for the OSX devices. The MacBooks are centrally managed and the Apple admin will assist here. I will give it a try. 

DAP is great because of it's flexibility; the options you have checking a cerificate are very basic compared to it. Maybe Cisco will add support to query and compare certificate attributes via DAPs LUA engine some day. You would have everything in one place! Just dreaming...

Dirk

0 Helpful

rvarelac
Level 7
Level 7
In response to dirk.heilemann

‎11-20-2015 10:47 AM

Hi Dirk, 

DAP is based on matching expressions created on LUA, LUA is pretty flexible language and allow to create basically anything the admin would want to filter, the only inconvenient is that we need know a bit about this language to create the personal scripts.  

I would check the option of  "Connect If Device.id of Endpoint PC and Serial Number on the Certificate Are the Same" shared on the previous link, maybe that script could help you. 

Enjoy the weekend! 

-Randy-

0 Helpful
Customers Also Viewed These Support Documents