Solved: Re: ISE Easy Connect with AnyConnect

gsheppar · ‎02-07-2018

Hi Team,

Is there a way to leverage Easy Connect with AnyConnect VPN? The thought was to use a machine certificate for authentication with AnyConnect/ASA and then pull the machine name from the CN to do authorization against ISE. At this point Easy Connect could provide the passive identity and then we could do a CoA against the ASA to place it in a different authorization group.

Regards,

Graham

Jason Kunst · ‎02-07-2018

No unfortunately not going to work because we need to see the user login. The only way I would think about this working would be if the anyconnect VPN tunnel with machine cert came up before the user logs into the machine. Then they logged in and WMI or AD agent event saw the login. This hasn’t been tested but might work.

View solution in original post

Jason Kunst · ‎02-07-2018

Anyconnect has nothing to do with easy connect.

Why not machine certificate plus CWA portal. This is known as CWA chaining.

gsheppar · ‎02-07-2018

Jason I know easy connect does not today since it uses MAB with wired and wireless but was trying to see if there was a way to combine them to help with passive user identity. The end user does not want to have any popup that requires them to enter credentials. Was thinking maybe since ASA supports COA there could be a way to leverage it.

Jason Kunst · ‎02-07-2018

No unfortunately not going to work because we need to see the user login. The only way I would think about this working would be if the anyconnect VPN tunnel with machine cert came up before the user logs into the machine. Then they logged in and WMI or AD agent event saw the login. This hasn’t been tested but might work.

gsheppar · ‎02-07-2018

Thanks Jason sounds like something I should try test. I don't see why it would not work the same way. You say the tunnel coming up prior to the users logging in but I would assume it would work the same way as if a user that plugs in a laptop to an ethernet port. Once network or in this case corporate VPN connection is made Windows would do a WMI login to AD which ISE could then see for passive identity. Other idea if it does not work the way I am thinking would be to have a post script on AnyConnect to generate a WMI login. What you think? I might try to build this out if we think its theoretically possible.

Jason Kunst · ‎02-07-2018

AFAIK you would need to login to windows after connected to the network for it to work otherwise you are stuck at a MAB state without a WMI login. If my machine was already logged into the domain its not going to do it again just because I switched network ports. That’s what dot1x is for ☺

I think it would work in theory but will rely on my counterpart hslai on Easyconnect to respond

hslai · ‎02-07-2018

How To: ISE and ASA Integration using CoA for Posture shows RA VPN can use certificate auth against ASA and then authorize-only with ISE. That's supported for a long time and a better solution.

What you asked might work but why complicating the use case when our teams have not vetted it.

gsheppar · ‎02-07-2018

Thanks hslai only issue is the customer does not want to deploy user certificates or ask for credentials which is the only way that would work to get user identity. Sounds like what I am saying might work but never been tested.

Is there any other way you can think of to get user identity without prompting the user for their information or leveraging a user certificate with AnyConnect? Could posture possibly provide the user identity?

hslai · ‎02-07-2018

Unfortunately, not really. Unless the username is in a field of the computer certificate and ASA is configured to send that to ISE instead of the computer's.

gsheppar · ‎02-07-2018

Thanks hslai I might try test out passive identity with ISE and AnyConnect CoA