I fear this may be the case, but the ASA allows for a separate secondary authentication which could be credentials or a certificate so I live in hope there is a solution here somewhere!

We currently use 2-FA and posture through ISE to try and ensure that the machine belongs to us. It works well for the most part, however it doesn't allow for a good always on experience, and posture is intrusive to the end user experience as well as AnyConnect getting the blame for any reason that it has denied access due to posture failure.  I'm looking to remove posture because it's intrusive and to eliminate the "faults" that cross my desk because of it.

One school of thought is to deploy MS DA but I'd rather not do this as I feel we can do similar within AC but the use cases that we have demand certain access lists per user and I'd like to keep config as simple as possible without having mulple tunnel groups every time we want to do something new. Right now it's an AD group and ISE rule based on the AD group making it quick to deploy new access with minimal fuss and not having to worry about the right VPN tunnel being used. 

User certs are an option as can be marked on exportable. But I have creative users who will find a way to use the CA to request a cert that ends up on a non corporate device and as mentioned I'd like to remove posture :)

Not sure if it will help with your original question, but have you looked into "stealth mode" posture deployment?

Hi Marvin, 

excerpt from the documentation (ASA 9.7)

########

you can now validate multiple certificates per session with AnyConnect SSL and IKEv2 client protocols. The Aggregate Authentication protocol has been extended to define the protocol exchange for multiple-certificate authentication and utilize this for both session types. For example, you can make sure that the issuer name of the machine certificate matches a particular CA and therefore that the device is a corporate-issued device.

The multiple certificates option allows certificate authentication of both the machine and user via certificates. Without this option, you could only do certificate authentication of one or the other, but not both.

The pre-fill username field allows a field from the certificate to be parsed and used for subsequent AAA authentication in a AAA and certificate authenticated connection. The username for both primary and secondary prefill is always retrieved from the first certificate received from the client.

With multiple certificate authentication, two certificates are authenticated: the first certificate received from the client is the one that the pre-fill and username-from-certificate primary and secondary usernames are parsed from. You can then configure rules for the client to choose which certificate is sent first versus second.

##########

so since ASA version 9.7.x you can use the feature "multiple certificate" as authentication method of the connection profile. This works fine for authentication but there is a problem for the use case. The AnyConnect user always uses his machine certificate as "first" authentication. So in the ASA the connected "user" is the machine. Also for AuthZ information reaches the ISE RADIUS server.

the last comment in the documentation will be the solution but I can´t find anything to achieve this. I also don´t want to use DAP or oth endpoint assessment technologies.

The main question is: is it possible to force the client using his user certificate as the first certificate using the multiple certificate feature? 

Thanks

Thanks for pointing that out - I had missed that new feature in 9.7.

I dug around a bit and found this in the AnyConnect Admin Guide:

Source: http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect44/administration/guide/b_AnyConnect_Administrator_Guide_4-4/configure-vpn.html

It seems to state that multi-certificate authentication cannot use the machine certificate.

That seems to conflict with the VPN profile editor which tells us (highlight added):

Certificate Store—Controls which certificate store(s) AnyConnect uses for storing and reading certificates. The secure gateway must be configured accordingly and dictates to the client which one of the multiple certificate authentication combinations is acceptable for a particular VPN connection.

The value of the CertificateStore configuration in the VPN profile depends on the types of certificates that are acceptable to the secure gateway: either two user certificates or one machine and one user certificate.

• All—One machine and one user certificate is acceptable by ASA configuration.

• User—Two user certificates are acceptable by ASA configuration

That higlighted section is exactly what you were talking about in your original post. I don't have the resouces handy to lab it up but if it's not working as you have it configured, it would be worth having the TAC look into it. As a pretty new feature I wouldn't be surprised if it has a bug. It may be how the agent interacts with the client OS (Windows) services.

However you might be able to use machine certificate as the first and only one for authentication and then, as you had suggested earlier, use the user certificate for Authorization.

The thing I'm not clear on is how we would tell the ASA or ISE to retrieve the User certificate for AuthZ if AuthC has already chosen to retrieve the machine certificate.

we can use the machine certificate for that use case. For this you have to check both certificate stores ("ALL"). If you only check one of the stores, "machine" or even "user" the multi-cert auth is not possible.

The user information for the ISE could be done by authorize only to the ISE. This is working right now but as I tried to clarify the ASA would always use the user information from the first certificate reached from the client. (that´s the machine certfificate). 

Regarding the ISE AuthZ policy the machine information would not be very interesting, we need the AD user.

Thanks Both,

This is why I was wondering if you could force the selection of the certificate through a LUA, because I've found that it favours the user Cert, though I do need to upgrade my Lab ASA.

I've put a question into Cisco about it, the identity for us to enforce the user access level is a great benefit to us, but machine trust is everything, hence machine certs making sense.  So  I need to find some other way of collecting the userID.  The requirement from my management tree is that VPN needs to be "seamless" so no user interaction to login to the VPN, so no usernames / passwords, 2FA.  Which is a big step change from the 2FA we use today, but as our organisation just got a lot larger, anything that takes the load off and reduces costs on 2FA is a "good thing".

Great - thanks for sharing your writeup. Endorsed!

Did you try it at all on 9.7 or did you go straight to 9.8 for testing?

Thank you!  I've not tried on 9.7, so it's an assumption that it'll work on that code (I jumped from 9.3(2) to 9.8 latest) but looking at the release notes, I think 9.7 will be fine.  The feature for Multi-Auth came in 9.7, so going on that basis it should be good to go.

There were a few hours of banging my head into the keyboard involved, but I cracked the Auth side on Friday and then managed to fix the ISE side today.  The confusing bit really was the Multi-Cert + AAA Option, which basically forces a prompt for username and password, so it's not needed. 

Once you get around the fact that you're not really authenticating the certificate, you're authorizing the user, the AuthC seems to happen higher up in the ASA and you never see that in ISE, so I'm not 100% sure how much of the ISE settings are used with it.  More lab time needed I think.

HI, 

just came back from holidays :-)

Good news!! I also did some new tests within this use case. It  works  also in my testlab with 9.7.1(8). 

I configured my client from scratch and it uses the user certificate for authC and authZ. So I can see the user information in the ASA crypto sessions and can use the user information int the ISE authorization policy too. Even without DAP - that´s what I want :-) !!

But I can´t find my issue doing this scenarion two weeks ago. The machine certififcate informations were used first.

So, I searched again in the AnyConnect Admin Guide documentation about that feature multi-cert. But I can´t find much about this behaviour. There is only the the following informations:

AnyConnect AdminGuide (Configure Certificate Selection)

http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect44/administration/guide/b_AnyConnect_Administrator_Guide_4-4/configure-vpn.html#ID-1428-00000555

http://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/vpn/asa-98-vpn-config/vpn-groups.html#id_39395

The Aggregate Authentication protocol has been extended to define the protocol exchange for multiple-certificate authentication and utilize this for both session types. After the client makes an SSL connection and enters into aggregate authentication, another SSL connection is made, and the ASA sees that the client requires certificate authentication and requests the client certificate.

The ASA configures the required authentication for an AnyConnect connection of a remote-access type tunnel group. A tunnel-group mapping is performed with the existing methods such as certificate rule mapping, group-url, and so on, but then the required authentication methods are negotiated with the client.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/vpn/asa-98-vpn-config/vpn-extserver.html#id_41775

With multiple-certificate authentication, you can make policy decisions based on the fields of a certificate used to authenticate that connection attempt. The user and machine certificate received from the client during multiple-certificate authentication is loaded into DAP to allow policies to be configured based on the field of the certificate. To add multiple certificate authentication using Dynamic Access Policies (DAP) so that you can set up rules to allow or disallow connection attempts, refer to Add Multiple Certificate Authentication to DAP in the appropriate release of the ASA VPN ASDM Configuration Guide.

In the admin guide I can´t find more information.

So I have two  questions

1. Is there any deep technical documentations about that feature ?
1. It works for me at this moment but I want to know why and how cisco wants to use this feature
2. For DAP: do we need absolutely necessary a APEX license ?
1. I read something about using a subset of DAP without any aditional license, because we don´t want to use host assessment or posture module, etc.

I think you're on the cutting edge taking advantage of this relatively new feature.

The latest field engineer training I have does have coverage some double authentcation bits (for use in FTD-based VPN) but in that case it is User certificate plus AAA server.

Something like what you created would be a great addition as a TAC document / tech note.

For DAP, I believe you do need a license. Per the Anyconnect Ordering Guide, hostscan does require Apex. But the relatively simple step of pulling the machine certificate should not, as you note, require even DAP.

You could always email anyconnect-pricing@cisco.com for confirmation. the product PM and TME monitor that alias.

So the DAP aspect is confusing - all the documentation I found (all two paragraphs of it!) seemed to point at that to pull through the machine certificate and the user certificate.  I initially tried without the DAP but with the Override enabled in the AC profile and it only pulled through the Machine Cert without the user, then if I deleted the machine cert it would pull the user, but then there was no machine identity presented.

I added the DAP for it and it seemed to resolve the issue, but I have tried without it since and it looks like it functions correctly.  Maybe its because I changed a few variables at the same point based on the information I'd seen and got lucky...

The key bit from the AC side is the profile to override the store, which gives it access to the machine library as well as the user store.

DAP in itself does not require a license. The ability to pick up attributes is dependent on the hostscan feature. Without hostscan, Anyconnect should be able to pick up certain basic attributes on its own. As far as I remember, certificate information is not one of them. When hostscan and "Endpoint Assessment" are enabled, the ASA starts to receive a lot more information from the client.

I would run a "debug dap trace" and "debug aggregate-auth xml" without DAP policies and hostscan enabled to see what is returned from the client.