Anyconnect checking computer domain

Christian Jorge · ‎12-07-2014

Good Morning gentlemen

We have a project to be implemented regarding Anyconnect VPN clients connecting to a firewall ASA, and a requirement is checking the machine domain to permit connection. For example, if the notebook belongs to domain example.com, connection will be permitted.

The main reason is to permit only customer allowed machines (not personal desktops, smartphones).

I could not find anything related in group-policy attributes.

Anyone could help me with some idea?

Regards

Christian

Karsten Iwen · ‎12-07-2014

That's nothing that can be easily configured in a group-policy. There are two primary ways to achieve this:

Enroll Machine-certificates to all PCs and authenticate the VPN-clients with certificate and AAA.
Use the hostscan module to check for the PC-environment. For that you need the advanced endpoint assessment license (or the APEX license on AnyConnect 4) and some configuration in the DAP (dynamic access policies).

Christian Jorge · ‎12-07-2014

Apreciate your suggestions. Never seen using those features.

I've only had experience using LDAP-attribute-map for VPN attributes filtering.

Actually, customeer ASA is an ordinary 5550 using image 9.1(5)12. Probably not able to consider version 9.2 and above.

Only using Anyconnect Essentials license.

Anyone knows any good web link fpr further details regarding those presented solutions?

Thank you for your help

Christian

Marvin Rhoads · ‎12-07-2014

You're right - ASA 9.2+ is not supported on the End-of-Sales ASA models.

For your reference, here is a link to a TAC-published document explaining how to setup a configuration in the event that it's an option for other readers.

Karsten Iwen · ‎12-07-2014

Version 9.1x is the last for the legacy ASAs, so you can't go to 9.2 or higher.

With AnyConnect 4 you could use Hostscan without a premium-license on the ASA, the AnyConnect client is licensed there (you need the APEX license then). But I'm not sure if that will work with the legacy ASAs.

Edit: I just see that "Basic endpoint collection" is included in the Plus license; so the APEX is not needed. This license is quite cheap. (25 users, 5 years for $65 list)

Marvin Rhoads · ‎12-07-2014

You can also do this with ISE Authorization policies - if you have ISE and use it as the RADIUS CoA-capable AAA server with your ASA (requires ASA code 9.2 or later).

Christian Jorge · ‎12-08-2014

Based on your recommendations, I think that for the customer environment, the more feasible soluction in this case would be authenticate de desktops with certificates.

But how can I perform this using SSL Anyconnect?..

Each user should be mapped to a group-policy based on his Windows AD group. Usually, I use a ldap-attibute map for this.

But for a specific Windows AD group, user only can be permitted the connection case theis machine pertains to domain example.com. I think I can configure this using certificates.

But no idea to link both solutions

Regards

Christian

Ashley Sahonta · ‎10-07-2016

See the following link here. It can be done using Host Scan and can be configured using a Dynamic Access policy.