Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Machine authentication over Client IPSEC tunnel

I am in the process of converting our existing remote access from Microsoft Threat Management Gateway to Cisco ASA.  Our security folks just made me aware that in addition to the Radius authentication against AD credentials that they also want me to do machine authentication to make sure that the machine name of the system trying to get remote access has a machinea account in AD.

I have been looking for a way to do this with the IPSEC client but havent found anything as yet.  Would appreciate any links that show me how to get this done.  Moving to Anyconnect isnt an option at this point due to budgetary issues.  I am using the latest Cisco VPN client in the 5.x train and have 8.2.5 code running on my 5520.

What I may be looking at might be NAC (Network Admission Control ?).  Looking for all suggestions at this point.

Thanks,

Ron

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Machine authentication over Client IPSEC tunnel

I've used enrolled user X.509 USER certificates with Cisco VPN Client 4.x / 5.x into an ASA. They were issued by a partner's root CA and the connection was allowed on the basis of that root CA being trusted by the remote ASA.

But yes, what you are asking about is more of a NAC, or the successor Identity Services Engine (ISE) product type of feature. In the case of ISE, it can do what you ask but requires a good bit of investment to get that and many many other features.

I strongly suspect that some additional investment will be necessary to get what your security team is requesting. At the very least AnyConnect Premium licenses and use of the Network Access Manager (NAM) feature. See this reference.

3 REPLIES
Hall of Fame Super Silver

Machine authentication over Client IPSEC tunnel

I've used enrolled user X.509 USER certificates with Cisco VPN Client 4.x / 5.x into an ASA. They were issued by a partner's root CA and the connection was allowed on the basis of that root CA being trusted by the remote ASA.

But yes, what you are asking about is more of a NAC, or the successor Identity Services Engine (ISE) product type of feature. In the case of ISE, it can do what you ask but requires a good bit of investment to get that and many many other features.

I strongly suspect that some additional investment will be necessary to get what your security team is requesting. At the very least AnyConnect Premium licenses and use of the Network Access Manager (NAM) feature. See this reference.

New Member

Machine authentication over Client IPSEC tunnel

Thanks.  That confirms my suspicions.  Didnt think the Security folks understand the magnitude of what they were asking for.

Hall of Fame Super Silver

Machine authentication over Client IPSEC tunnel

You're welcome.

There's a maxim I always think of when fielding such requests: "When the goods are free the demand is infinite.". I then remind the requester TANSTAAFL.

408
Views
0
Helpful
3
Replies
CreatePlease login to create content