Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Community Member

VPN Machine Authentication

Hi

Current setup:

Anyconnect clients establish VPN tunnels to an ASA and are authenticated using an OTP server and AD (primary and secondary configuration under the connection profile). For AD, the ASA sends the authentication request to ISE which is integrated with AD. Clients are associated to different group-policies depending on which AD group they belong to.

 

We would like to add machine authentication to this, is is possible to additionally check that the client machine is also present and active in AD?

 

Kind Regards

1 ACCEPTED SOLUTION

Accepted Solutions

Re: VPN Machine Authentication

You cannot pass machine credentials through VPN as it does not do 802.1x for VPN access. But instead, you can run posture (ASA or ISE Posture) to check for a registry key on the user machine.
An example using ASA posture (and DAP for enforcement) is given here:
https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115947-dap-adv-functions-00.html#anc21

The registry key you can use to check this is "\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Domain"

You can set up the same check using ISE posture. Example here:
https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/117693-configure-ASA-00.html
2 REPLIES

Re: VPN Machine Authentication

You cannot pass machine credentials through VPN as it does not do 802.1x for VPN access. But instead, you can run posture (ASA or ISE Posture) to check for a registry key on the user machine.
An example using ASA posture (and DAP for enforcement) is given here:
https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115947-dap-adv-functions-00.html#anc21

The registry key you can use to check this is "\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Domain"

You can set up the same check using ISE posture. Example here:
https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/117693-configure-ASA-00.html
Community Member

Re: VPN Machine Authentication

Thanks for your reply Rahul.

We had already tested the ASA posture / registry key option which worked fine.

My customer asked the question, so I just wanted to make sure I wasn't missing an option that could be used.

 

Kind Regards

Terry

847
Views
5
Helpful
2
Replies
CreatePlease to create content