Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1247
Views
10
Helpful
5
Replies

VPN and ISE Profiling

Go to solution
Alex Pfeil
Level 7
Level 7

‎09-05-2018 07:13 AM

We have requirement to allow users to VPN into our network on work equipment only (no BYOD). Do we have to use posture in order to meet this requirement?

1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
paul
Level 10
Level 10

‎09-05-2018 07:19 AM

You could do posture, but that would be overkill to simply answer the question "Is this device a corporate asset?"

 

Configure your VPN head-end to do certificate authentication then send the authentication over to ISE to do User/MFA authentication.  This assumes you have certificates pushed to your corporate devices.  I usually setup two group URLs for my customers:

 

https://vpn.mycompany.com/vendor

https://vpn.mycompany.com/employee

 

The vendor group URL does User/MFA auth only, no certificate, but DACLs are applied to limit access to the network based on what the vendors need.

 

The employee group URL does certificate + User/MFA auth to ensure connecting devices are corporate devices.

View solution in original post

5 Replies 5

Go to solution
paul
Level 10
Level 10

‎09-05-2018 07:19 AM

You could do posture, but that would be overkill to simply answer the question "Is this device a corporate asset?"

 

Configure your VPN head-end to do certificate authentication then send the authentication over to ISE to do User/MFA authentication.  This assumes you have certificates pushed to your corporate devices.  I usually setup two group URLs for my customers:

 

https://vpn.mycompany.com/vendor

https://vpn.mycompany.com/employee

 

The vendor group URL does User/MFA auth only, no certificate, but DACLs are applied to limit access to the network based on what the vendors need.

 

The employee group URL does certificate + User/MFA auth to ensure connecting devices are corporate devices.

Go to solution
Alex Pfeil
Level 7
Level 7
In response to paul

‎09-05-2018 07:22 AM

Is there any way around certificates?

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to Alex Pfeil

‎09-05-2018 07:25 AM

If the VPN head-end requires certificates to connect the user/device must present a proper certificate from a CA the VPN device trusts to issue certs. The only way to get around this would be extracting the certificate/private key from one device and move it to another. If your certificate templates allow for private key exporting and you are making it easy to do this then the integrity of your CA is gone.






0 Helpful

Go to solution
Alex Pfeil
Level 7
Level 7
In response to paul

‎09-05-2018 07:26 AM

I just meant: is there a way to make sure the device is a corporate device without the certificate?

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to Alex Pfeil

‎09-05-2018 07:30 AM

Posturing, but that is way more difficult to configure and support than a certificate check. The certificate check is a trivial setup, assuming you have certs already issues to connecting corporate devices.


Customers Also Viewed These Support Documents