Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
508
Views
0
Helpful
2
Replies

ISE 2.1 and AnyConnect with ASA 9.5.2: EAP-FAST Alternative

Curtis Weller
Level 1
Level 1

‎07-11-2016 01:47 PM - edited ‎03-10-2019 11:55 PM

Hello fellow engineers!  I have been fruitlessly searching for this solution for days and need your assistance.  

KEY COMPONENTS

  • ISE 2.1
  • ASA 5512-X 9.5.2
  • Windows 7 Pro (with AD provided machine certificates)
  • MS AD
    • AD Certificate Authority

The ASA VPN setup is complete and successfully tested utilizing ISE as the aaa-server.  Differentiated authorization is accomplished via AD user group membership and DACLs.  All of that works flawlessly.  

My client now requires an additional condition for authorization, which is validation that the endpoint belongs to the organization.  I would prefer to utilize the machine certificates, though I would settle for verifying that the machine is in "Domain Computers", or even both.  

I realize that the authentication protocols in such a scenario are limited and do not include EAP-FAST (which would allow me to utilize the AnyConnect NAM client and ISE for EAP Chaining).  As such, I need a solution to add machine authentication/validation to my current AuthC/AuthZ policy for AnyConnect SSL VPN.  I have tried a number of options on my ISE AuthZ profiles, though none have worked.  

Has anyone done this before?  I found an old post from 3 years ago that vaguely described this, but I couldn't make heads or tails of it.  Thanks for your help!

Curtis: CCIE 19109

1 person had this problem
Labels:
0 Helpful
2 Replies 2

sdoherty
Level 1
Level 1

‎07-18-2016 07:23 AM

Hello Curtis,

Can you use ISE posture to check for the reg key to see if the machine has your domain listed?

-Sean

0 Helpful

Curtis Weller
Level 1
Level 1
In response to sdoherty

‎07-20-2016 03:00 AM

I suppose that's what I'll have to do.  Our local Cisco SE informed us that EAP-FAST would be supported on the ASA and ISE later this year.  I already have posture tested in my lab, wherein I'm checking the registry for membership in the AD domain.  It's a consolation that I will have to live with for now.  Thanks for your suggestion Sean.

0 Helpful
Customers Also Viewed These Support Documents