09-05-2018 07:13 AM
We have requirement to allow users to VPN into our network on work equipment only (no BYOD). Do we have to use posture in order to meet this requirement?
Solved! Go to Solution.
09-05-2018 07:19 AM
You could do posture, but that would be overkill to simply answer the question "Is this device a corporate asset?"
Configure your VPN head-end to do certificate authentication then send the authentication over to ISE to do User/MFA authentication. This assumes you have certificates pushed to your corporate devices. I usually setup two group URLs for my customers:
https://vpn.mycompany.com/vendor
https://vpn.mycompany.com/employee
The vendor group URL does User/MFA auth only, no certificate, but DACLs are applied to limit access to the network based on what the vendors need.
The employee group URL does certificate + User/MFA auth to ensure connecting devices are corporate devices.
09-05-2018 07:19 AM
You could do posture, but that would be overkill to simply answer the question "Is this device a corporate asset?"
Configure your VPN head-end to do certificate authentication then send the authentication over to ISE to do User/MFA authentication. This assumes you have certificates pushed to your corporate devices. I usually setup two group URLs for my customers:
https://vpn.mycompany.com/vendor
https://vpn.mycompany.com/employee
The vendor group URL does User/MFA auth only, no certificate, but DACLs are applied to limit access to the network based on what the vendors need.
The employee group URL does certificate + User/MFA auth to ensure connecting devices are corporate devices.
09-05-2018 07:22 AM
Is there any way around certificates?
09-05-2018 07:25 AM
09-05-2018 07:26 AM
I just meant: is there a way to make sure the device is a corporate device without the certificate?
09-05-2018 07:30 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide