We want to be able to disable a computer in Active Directory and prevent that computer from accessing our VPN.
I have an ASA VPN setup, with Cisco Security Desktop, and a Dynamic Access Policy to check the host. The AAA uses LDAP to talk to active directory. The primary authentication is for the user, with a secondary authentication setup for the computer with DAP.
My first guess is that I may have to switch to RADIUS? If we had an Enterprise Certificate Authority setup for the Domain with auto-enrollment, we could check the computer certificates, but we do not, nor can we.
Or is there a way to have the ASA 'proxy' do something similar to the Kerberos authentication that the computer would do with AD in order to validate access?
In other words, is there a Computer equivalent to the User AAA:
aaa-server AD-LDAP protocol ldap
aaa-server AD-LDAP (INSIDE) host AD-SERVER
ldap-base-dn OU=Users,OU=Dept,DC=company,DC=org
ldap-scope subtree
ldap-naming-attribute userPrincipalName
ldap-login-password *****
ldap-login-dn CN=vpn.service.account,OU=ServiceAccounts,OU=Users,OU=Dept,DC=company,DC=org
where you could change userPrincipalName
to maybe the computer CN
and base-dn
to the Computers container?
Best Answer
In general, if you are utilizing Cisco Secure Desktop, this opens up a whole world of options to give you restrictions based on the device.
Just as an example off of the top of my head, you could do the following. I haven't had the opportunity to test this configuration, however I have seen similar configurations in the field.
This would take care of only allowing "known" PCs into the VPN, as well as allowing you to explicitly blacklist PCs.
I'm sure there are other ways to do this as well, and this may not even be the best way by far.
The main thrust is, once you've paid for the Anyconnect Premium licenses and have deployed Cisco Secure Desktop, you're only restrained by your ingenuity with regards to what kind of "better mouse trap" you build.
See the CSD Admin Guide for more information on all of it's bells and whistles.