anyconnect and client certificates for dynamic access policies (dap)

royalle01 · ‎06-05-2012

I'm faced with the challenge of rolling out AnyConnect to our clients (which I've done before at another job) but in this case we want to 'NAC' vpn clients... We're still in discussion around the security policy and those details, but I wanted to see if folks on this forum could chime in with their experience on this.

We have a mix of Windows, Linux and MACs that are corporate issued devices that should receive some form of posture checking and then be granted access. Personal devices would also be subjected to some level of posture checking, but if during the initial scan it was deemed that this is not a corporate machine, then that machine would have very limited access.

From what I've read, the OS agnostic route to take is using certificates. I'm looking for design tips or docs that would assist in rolling this out. We do not have a PKI infrastructure today. So some of the questions I have are:

Can the ASA manage all of the client issued certs? From enrollment to revocation?

Or would I look to my Windows infrastructure for that? And if so, how does that integrate with the ASA?

Client certs vs machine certs?

Any advice from high level to low level or partial answers would be appreciated...

Thanks

rizwanr74 · ‎06-05-2012

"Can the ASA manage all of the client issued certs? From enrollment to revocation?"

Yes, please check the Cisco url below, configuration method.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/cert_cfg.html#wp1067758

Hope that helps.

thanks

Rizwan Rafeek