04-11-2014 06:29 AM
Using ClearPass Policies to verify VPN Clients are Corporate Assets.
Security Department Requirement: Verify that the PC or Laptop connecting to Corporate VPN solution is a corporate asset thus following Virus protection standards.
Environment: Cisco AnyConnect Client, Cisco ASA5525 VPN Host, ClearPass 126.96.36.199196 as proxy to Active Directory checking for member of CN=<Group_Name>.
Question: What policy can I add to the ClearPass authentication process to verify that the client Laptop is a Corporate Asset? i.e. Member of the corporate domain?
04-11-2014 07:44 AM
A couple of options:
First, the user machine's MAC address must be passed through the VPN to Clearpass so we can reference it for the options below.
1. I take it that the device connects to wifi in a corp location as well as VPN? If so, you can add an endpoint attribute based on machine authentication in the corp environment. Then, once the user has this attribute in the endpoint database, you can reference it in policy on Clearpass for the VPN service. However, this isn't a "light switch" approach meaning that the user must connect in a corp office first with Clearpass as the RADIUS server. This is because we will see a domain computer also pass machine authentication and in access tracker, you will see "machine authenticated" as a role attribute. We can add a custom endpoint attribute once we see this. When the user tries VPN afterwards, we can see that this machine was machine authenticated in the office and then allow access.
2. Use a SQL query to an asset DB and check the MAC against it as an authorization source. Using this logic, we can query for the MAC in the DB and if it exists, then we know it's a corp asset.
Consulting Systems Engineer - ACCX, ACDX, ACMX
If you found my post helpful, please give kudos