Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1691
Views
5
Helpful
4
Replies

Restrict AnyConnect to corporate assets only

Go to solution
KYLE MCLERREN
Level 1
Level 1

‎01-11-2019 10:31 AM

Hi All,

 

I have a new ask that is pretty straight forward: Right now, anyone with a valid account can download and connect to VPN using AnyConnect. We would like to restrict this to only allow corporate imaged assets connecting. This might be both Windows and well as Mac. Could someone point me in the right direction for accomplishing this with AnyConnect? I know theres probably a number of ways to go about it. 

 

Thanks!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to KYLE MCLERREN

‎01-11-2019 10:53 AM

I was referring to the certificate authentication as the easier method rather than posture checking, it would be faster too usually. As you already have certificates for dot1x, you need a trustpoint setup on the ASA and modify the tunnel-group to use double authentication (aaa + certificates). This post might help you with that configuration.


HTH

View solution in original post

4 Replies 4

Go to solution
Rob Ingram
VIP
VIP

‎01-11-2019 10:38 AM

Hi,
There are a couple of ways. You could require certificate authentication using an internal CA which distributes certificates from AD to the corporate computers. Therefore only your corporate assets would have the certificate and successfully authenticate. This is probably the best thing to do.

If you had ISE as a RADIUS server you could do a posture check, search for a local file/registry key that exists on your corporate assets.

HTH
0 Helpful

Go to solution
KYLE MCLERREN
Level 1
Level 1
In response to Rob Ingram

‎01-11-2019 10:47 AM

Thank you, thats very helpful. We actually have both of those, currently. Right now we distribute certificates to clients to facilitate wireless auth (802.1x), so its possible we could leverage that.

 

Additionally, the way we currently do auth on AnyConnect is through RADIUS (by way of Okta for two factor). So it sounds to me like posture and search for local file/registry as you say might be the easier way to go since we already have two factor through RADIUS.

 

Appreciate the feedback

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to KYLE MCLERREN

‎01-11-2019 10:53 AM

I was referring to the certificate authentication as the easier method rather than posture checking, it would be faster too usually. As you already have certificates for dot1x, you need a trustpoint setup on the ASA and modify the tunnel-group to use double authentication (aaa + certificates). This post might help you with that configuration.


HTH

Go to solution
KYLE MCLERREN
Level 1
Level 1
In response to Rob Ingram

‎01-11-2019 10:56 AM

Great info, thanks!

0 Helpful
Customers Also Viewed These Support Documents