User Info

Welcome, Guest. Please login or register.
Did you miss your activation email?

Author Topic: ISE 2.1 and AnyConnect with ASA 9.5.2: EAP-FAST Alternative  (Read 8432 times)

Offline ofmanyone

  • Cisco Newbie
  • *
  • Posts: 1
  • Reputation: 0
  • Certification: CCIE
Hello fellow engineers!  I have been fruitlessly searching for this solution for days and need your assistance.  I also posted this subject on the Cisco Support Forums.


ISE 2.1
ASA 5512-X 9.5.2
Windows 7 Pro (with AD provided machine certificates)
AD Certificate Authority
The ASA VPN setup is complete and successfully tested utilizing ISE as the aaa-server.  Differentiated authorization is accomplished via AD user group membership and DACLs.  All of that works flawlessly. 

My client now requires an additional condition for authorization, which is validation that the endpoint belongs to the organization.  I would prefer to utilize the machine certificates, though I would settle for verifying that the machine is in "Domain Computers", or even both. 

I realize that the authentication protocols in such a scenario are limited and do not include EAP-FAST (which would allow me to utilize the AnyConnect NAM client and ISE for EAP Chaining).  As such, I need a solution to add machine authentication/validation to my current AuthC/AuthZ policy for AnyConnect SSL VPN.  I have tried a number of options on my ISE AuthZ profiles, though none have worked. 

Has anyone done this before?  I found an old post from 3 years ago that vaguely described this, but I couldn't make heads or tails of it.  Thanks for your help!

Offline MC

  • Global Moderator
  • Cisco Guru
  • *****
  • Posts: 400
  • Reputation: 606
  • CCIE x3 (RS,Sec,SP)
  • Certification: CCIE
Re: ISE 2.1 and AnyConnect with ASA 9.5.2: EAP-FAST Alternative
« Reply #1 on: July 17, 2016, 10:10:33 PM »
I don't think you can check for domain computer the same way as wired ot wireless .1x. The best option to achieve what you described is to use client cert authentication on AnyConnect VPN. If client presents a correct cert, then you know its a corporate asset (not necessarily just domain computer but any device you issued the cert to). If you still want to have user login, you can do both cert and user/pass concurrently. The other option is to use Posture module to check for Registry or file on the machine that indicate it being a domain computer but that would add complexity of posture assessment to the deployment.


Related Topics

  Subject / Started by Replies Last post
2 Replies
Last post August 18, 2013, 05:59:34 PM
by MC
1 Replies
Last post August 05, 2015, 05:53:50 AM
by MC
3 Replies
Last post April 28, 2016, 09:25:46 PM
by MC
2 Replies
Last post April 29, 2019, 11:33:12 PM
by crismonilla
3 Replies
Last post January 23, 2024, 10:45:24 PM
by MC

SimplePortal 2.3.7 © 2008-2024, SimplePortal