Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1140
Views
0
Helpful
13
Replies

auto remediation (certs) with APEX licence and anyconnect agent

Go to solution
vark00001
Level 4
Level 4

‎06-23-2018 11:06 PM

Hi All,

I have been thrown a question prior to ISE deployment in our organization. Soon we will have dot1x on every port of all user and things facing switches and authentication will be via ISE infrastructure.

Now among other things corporate desktops and laptops will be authenticated using PKI framework based machine certificates , wherein ISE will forward the query to corporate CA server for verification .

Now the requirement is , for the corporate machine which has , lets say , missing or expired or corrupted certificates , by default they wont be authenticated and perhaps provided a internet only VLAN, but since those belong to actual corporate users we like to auto-remidiate the situation without having to remove the dot1x and installing certificates or may be even sending someone to put in certificates manually or taking them to staging areas.

Can apex licence in conjugation with any connect client help there ?  As i saw there was remediation scenario documentation for things like patches , anti virus etc , but nothing specfic to auto remediation of certificates .

Is that possible ? if yes, how ?

Varun

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
howon
Cisco Employee
Cisco Employee

‎06-25-2018 10:21 AM

Few things to consider for expired certificate:

- In general corporate PKI (Especially if using MS CA), you can configure the CA server to issue certificates when the expiry date is near. This can be configured from MS CA console and is recommended. As long as the users are connecting the PC often enough before expiry, the machine should always have valid certificate

- Now, if you still want to address expired certificate consider following options:

1. If you want to allow expired certificates to authenticate then you can modify the 'Allowed protocols' for EAP-TLS to allow expired certificates. However, instead of providing full access, you can limit access to web portal where the user is instructed to take action to renew certificate.

2. It is generally not recommended to allow expired certificates to be authenticated due to security reasons. Better option is to use 'CERTIFICATE:DAYSTOEXPIRY' authorization condition to trigger user action when the certificate is near expiry.

3. You can simply deny access for expired certificate and redirect user to login via web portal using username and password


For above options, you don't need any Apex license as you are only leveraging basic RADIUS authentication.


Hosuk

View solution in original post

0 Helpful
13 Replies 13

Go to solution
howon
Cisco Employee
Cisco Employee

‎06-25-2018 10:21 AM

Few things to consider for expired certificate:

- In general corporate PKI (Especially if using MS CA), you can configure the CA server to issue certificates when the expiry date is near. This can be configured from MS CA console and is recommended. As long as the users are connecting the PC often enough before expiry, the machine should always have valid certificate

- Now, if you still want to address expired certificate consider following options:

1. If you want to allow expired certificates to authenticate then you can modify the 'Allowed protocols' for EAP-TLS to allow expired certificates. However, instead of providing full access, you can limit access to web portal where the user is instructed to take action to renew certificate.

2. It is generally not recommended to allow expired certificates to be authenticated due to security reasons. Better option is to use 'CERTIFICATE:DAYSTOEXPIRY' authorization condition to trigger user action when the certificate is near expiry.

3. You can simply deny access for expired certificate and redirect user to login via web portal using username and password


For above options, you don't need any Apex license as you are only leveraging basic RADIUS authentication.


Hosuk

0 Helpful

Go to solution
vark00001
Level 4
Level 4
In response to howon

‎06-26-2018 05:21 AM

Thanks Hosuk,

The suggestions here do answer questions for expired certificate , but what can be a good suggestion for machines with no certificates. Imagine we have ordered 10 new machines and those get the image and other software's from a local SCCM server .

Today this is not a problem , since there is no dot1x on ports , so a new  machine does a DHCP , get their SCCM server IP , get  image and along with that a certificate is issued by scripts.

If in future after we establish ISE infrastructure with dot1x on all ports and we are trying to set up these 10 machines , they will not have anything to supply for EAPoL. What will we do in those case, some options are :-

-> remove dot1x temprorily , let them image and get certificates and then apply back DOT1X ( Very manual and prone to ports being left non-dot1x )

--> Stage the machines at designated location with no dot1x and then connect to LAN ( This will add logistics cost )

--> May be authenticate via MAB and then let it get imaged with access to SCCM's only and then do a COA for full access.

What to other companies do to handle such situations ?

Varun

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to vark00001

‎06-26-2018 05:27 AM

Would recommend last 2 options. Likely others from partners will chime in like  berbee arne.bier

0 Helpful

Go to solution
vark00001
Level 4
Level 4
In response to Jason Kunst

‎06-26-2018 09:52 AM

Thanks Jason !!

would really appreciate real life experiences with this scenario.how are new machines handled generally.

certainly we are not the only organization with the dilemma.i am sure lot of companies order machines in their office and then

use SCCM for imaging. If the ports are dot1xed , then it will be like a chicken and egg problem.

0 Helpful

Go to solution
vark00001
Level 4
Level 4

‎06-27-2018 08:11 PM

Hi Jason ,

Did you manage to find any feedback on this ?

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to vark00001

‎06-28-2018 10:49 AM

The people I copied were partners that might have shared their feedback. That’s all we have.

0 Helpful

Go to solution
vark00001
Level 4
Level 4
In response to Jason Kunst

‎07-04-2018 08:14 PM

Hi Jason ,

I actually found interesting line from Aaron woland in his famous  book and its version 2 at page 271 , at least for expired certs , there seems to be an inbuilt feature

cert.JPG

I am still trying to brainstorm what to do with brand new machines.

Varun

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to vark00001

‎07-04-2018 09:29 PM

Not all client OS's would present an expired certificate for EAP-TLS. For example, Windows clients do not.

0 Helpful

Go to solution
vark00001
Level 4
Level 4
In response to hslai

‎07-05-2018 07:36 PM

Ok ,

The case with new machines will be that they will not hand out any certificates even though the profiling will figure out based on DHCP , or other profiler's that at least the hardware is of corporate type . like HP model xx-yy.

So i am thinking of policy that say "match hardware type -corporate" and if they dont have certificates , give them access to only AD and SCCM servers and let them get a certificate and then do a COA.

Any thaught on if that can work ?

Varun

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to vark00001

‎07-08-2018 10:48 AM

Sure, if the AD is also serving as DNS and DHCP, as well as the CA services.

0 Helpful

Go to solution
vark00001
Level 4
Level 4
In response to hslai

‎07-08-2018 08:38 PM

Nops , DNS and DHCP are based on completely different product - infoblocks . Though AD has the CA  services running.

Varun

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to vark00001

‎07-09-2018 05:33 AM

Then, DNS and DHCP need allowed, as well. Or, at least DNS, if the endpoints are using static IP.

0 Helpful

Go to solution
vark00001
Level 4
Level 4

‎07-08-2018 07:42 AM

Hello HSLAI ,

Any comments if this idea can work ?

Varun

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents