Solved: Certificate Authentication Enrollment + NGE

switched switch · ‎06-25-2014

Hi All,

I have two questions regarding ASAs.

If we have remote users that never make it into the corporate office, are they able to enroll for a user and machine certificate from outside of the network through the ASA? Someone I spoke to recently advised I would require CEP and CES (we run MS CS) to be on the edge of our network to support external machines. Can the ASAs act as a proxy for this instead?

Secondly, regarding encryption - I notice in version 9.2 that is supports NGE (Next Gen Encryption) but it mentions IKEv2 IPSEC connections if I remember correctly. The handbook says the following:

Next Generation Encryption (NGE) for AnyConnect 3.1 VPN and Network Access Manager includes the following functionality:
SHA-2 (SHA with 256/384/512 bits) support for hashing
– (Network Access Manager) Ability to use certificates with SHA-2 in TLS-based EAP methods
– (VPN) IKEv2 payload authentication (Windows Vista or later and Mac OS X 10.6 or later)
– (VPN) ESP packet authentication (Windows Vista or later and Mac OS X 10.6 or later

What does NAM have to do with the ASA besides the being able to retrieve a profile from the ASA? When a user logs in via 802.1X does it connect to the ASA directly, or will it speak with our ISE nodes?

Currently we are using SSL for VPN connections, to support NGE for VPN, would we need to consider IPSEC instead of SSL?

Thanks

Marvin Rhoads · ‎06-26-2014

Correct - NAM is not used for VPN authentication.

The NAM module is not necessarily directly interacting with the ASA - whether the client is on remote access VPN or in-house wired or wireless. You can create a NAM profile on an ASA (or standalone profile editor) and it will deploy as part of client services if a user connects to the ASA via AnyConnect. However if the user's PC is not at all a remote access device (e.g. a corporate desktop PC) you can deploy the NAM profile manually or via 3rd party software deployment tools.

The NAM module is (among other things) providing an enhanced 802.1x supplicant function (over the base supplicant capability of the OS) which interacts with the 802.1x authenticator (switch or wireless controller) which in turn talks to the authentication server (e.e. RADIUS of ISE). The resultant policy is pushed into the switch or controller on a per client basis in the forms of things such as VLAN assignment, pushing out of downloadable ACLs (dACLs), redirection to a portal etc.

View solution in original post

Marvin Rhoads · ‎06-25-2014

You can use an ASA as a SCEP proxy. Here's an example guide.

NAM is (for purposes of this discussion) the 802.1x supplicant for your wired and wireless LAN environment with ISE. It's mostly unrelated to the VPN module.

The AnyConnect VPN module is not directly interacting with ISE but is a remote access VPN client talking to the ASA. That includes downloading the profile as part of client services.

ISE can interact with the ASA as of 9.2 as a RADIUS server performing Change of Authorization (CoA) for remote access VPN users. This is in lieu of the earlier model which required you to insert an ISE node as an Inline Policy Enforcement Point (IPEP) when you wanted to enforce ISE policies for remote access VPN users.

switched switch · ‎06-25-2014

Great thanks Marvin, appreciate the reply.

I have our ISE as the authentication source for our RA VPNs which in turn is pointing to a OTP server for two factor auth already and that works as expected.

Currently we are not supporting certificate based authentication but want to proceed with this - was just concerned that I wasnt going to be able to support enrollment on new certificates from outside the corporation. I personally thought it was possible but a recent contractor said "Good Luck" with the SCEP proxy on the ASA. In your experience have you had any issues with supporting this or this process not working that well?

Re NAM, when outside the office and using certificate based authentication, is NAM at all used as part of this process, or is this purely for inside the environment for wired and wireless?

As the ASAs support building up a profile for NAM on the ASAs directly, at what point is any new profile updates pushed down to the client, is it only when they connect to the LAN/WLAN? E.g So does the client still directly authenticate to ISE, then check for any updates on the ASA for the NAM profile?

Marvin Rhoads · ‎06-25-2014

Yes of course ISE can be a plain vanilla RADIUS server. I didn't think that worth commenting on earlier.

I've not done a production SCEP deployment but FWIW it's very simple in the lab. :)

NAM when you're outside the office and using the VPN module an unused module. The RA VPN xml profile is downloaded via the VPN module and authentication via RADIUS on ISE is within that context. ISE will, via RADIUS CoA, modify the client access as appropriate consistent with the profiling of the client and associated policies.

switched switch · ‎06-25-2014

Thanks Marvin,

Reading between the lines I take from your reply that NAM is completely unused for VPN authentication (with either certificate based authentication or user/pass authentication). I hope I've understood correctly.

So when users are inside and on the LAN/WLAN (and using the NAM module), after every successful authentication, does the NAM module then send a request to the ASA to see if a new profile exists for the NAM policy as I see this is something that can be build up on the ASA (as well as the local editor).

Marvin Rhoads · ‎06-26-2014

Correct - NAM is not used for VPN authentication.

The NAM module is not necessarily directly interacting with the ASA - whether the client is on remote access VPN or in-house wired or wireless. You can create a NAM profile on an ASA (or standalone profile editor) and it will deploy as part of client services if a user connects to the ASA via AnyConnect. However if the user's PC is not at all a remote access device (e.g. a corporate desktop PC) you can deploy the NAM profile manually or via 3rd party software deployment tools.

The NAM module is (among other things) providing an enhanced 802.1x supplicant function (over the base supplicant capability of the OS) which interacts with the 802.1x authenticator (switch or wireless controller) which in turn talks to the authentication server (e.e. RADIUS of ISE). The resultant policy is pushed into the switch or controller on a per client basis in the forms of things such as VLAN assignment, pushing out of downloadable ACLs (dACLs), redirection to a portal etc.

switched switch · ‎06-26-2014

Thanks again Marvin, that has answered my questions on NAM.

Re the Next Gen Encryption, if we are using certificate based authentication for NAM, and we have our signature algorithm as SHA256RSA,we would need to support the minimum ASA version (believe it is 9.1 or 9.2), is that correct?

Also for VPN requirements and NGE, will SSL ever support NGE? Currently I know it is only the Suite B algorithms that are IPSEC/IKEv2.

Next Generation Encryption (NGE) for AnyConnect 3.1 VPN and Network Access Manager includes the following functionality:
SHA-2 (SHA with 256/384/512 bits) support for hashing
– (Network Access Manager) Ability to use certificates with SHA-2 in TLS-based EAP methods
– (VPN) IKEv2 payload authentication (Windows Vista or later and Mac OS X 10.6 or later)
– (VPN) ESP packet authentication (Windows Vista or later and Mac OS X 10.6 or later