Wireless Access

Using ClearPass Policies to verify VPN Clients are Corporate Assets.

Security Department Requirement: Verify that the PC or Laptop connecting to Corporate VPN solution is a corporate asset thus following Virus protection standards.

Environment:  Cisco AnyConnect Client, Cisco ASA5525 VPN Host, ClearPass 6.2.6.62196 as proxy to Active Directory checking for member of CN=<Group_Name>.

Question:  What policy can I add to the ClearPass authentication process to verify that the client Laptop is a Corporate Asset?  i.e. Member of the corporate domain?

A couple of options:

First, the user machine's MAC address must be passed through the VPN to Clearpass so we can reference it for the options below.

1. I take it that the device connects to wifi in a corp location as well as VPN?  If so, you can add an endpoint attribute based on machine authentication in the corp environment.  Then, once the user has this attribute in the endpoint database, you can reference it in policy on Clearpass for the VPN service.  However, this isn't a "light switch" approach meaning that the user must connect in a corp office first with Clearpass as the RADIUS server.  This is because we will see a domain computer also pass machine authentication and in access tracker, you will see "machine authenticated" as a role attribute.  We can add a custom endpoint attribute once we see this.  When the user tries VPN afterwards, we can see that this machine was machine authenticated in the office and then allow access.  

2. Use a SQL query to an asset DB and check the MAC against it as an authorization source.  Using this logic, we can query for the MAC in the DB and if it exists, then we know it's a corp asset.  

Hi,

Just curious if you managed to make this work using the suggested method?

Many Thanks,

Julian