Lab Minutes Forum

Technical Discussion => Security => Topic started by: ofmanyone on July 11, 2016, 02:02:53 PM

Title: ISE 2.1 and AnyConnect with ASA 9.5.2: EAP-FAST Alternative
Post by: ofmanyone on July 11, 2016, 02:02:53 PM
Hello fellow engineers!  I have been fruitlessly searching for this solution for days and need your assistance.  I also posted this subject on the Cisco Support Forums.

KEY COMPONENTS

ISE 2.1
ASA 5512-X 9.5.2
Windows 7 Pro (with AD provided machine certificates)
MS AD
AD Certificate Authority
The ASA VPN setup is complete and successfully tested utilizing ISE as the aaa-server.  Differentiated authorization is accomplished via AD user group membership and DACLs.  All of that works flawlessly. 

My client now requires an additional condition for authorization, which is validation that the endpoint belongs to the organization.  I would prefer to utilize the machine certificates, though I would settle for verifying that the machine is in "Domain Computers", or even both. 

I realize that the authentication protocols in such a scenario are limited and do not include EAP-FAST (which would allow me to utilize the AnyConnect NAM client and ISE for EAP Chaining).  As such, I need a solution to add machine authentication/validation to my current AuthC/AuthZ policy for AnyConnect SSL VPN.  I have tried a number of options on my ISE AuthZ profiles, though none have worked. 

Has anyone done this before?  I found an old post from 3 years ago that vaguely described this, but I couldn't make heads or tails of it.  Thanks for your help!
Title: Re: ISE 2.1 and AnyConnect with ASA 9.5.2: EAP-FAST Alternative
Post by: MC on July 17, 2016, 10:10:33 PM
I don't think you can check for domain computer the same way as wired ot wireless .1x. The best option to achieve what you described is to use client cert authentication on AnyConnect VPN. If client presents a correct cert, then you know its a corporate asset (not necessarily just domain computer but any device you issued the cert to). If you still want to have user login, you can do both cert and user/pass concurrently. The other option is to use Posture module to check for Registry or file on the machine that indicate it being a domain computer but that would add complexity of posture assessment to the deployment.
SimplePortal 2.3.7 © 2008-2024, SimplePortal