Cisco ASA VPN – How to Block a Specific Computer from VPN

aaacisco-asavpn

We want to be able to disable a computer in Active Directory and prevent that computer from accessing our VPN.

I have an ASA VPN setup, with Cisco Security Desktop, and a Dynamic Access Policy to check the host. The AAA uses LDAP to talk to active directory. The primary authentication is for the user, with a secondary authentication setup for the computer with DAP.

My first guess is that I may have to switch to RADIUS? If we had an Enterprise Certificate Authority setup for the Domain with auto-enrollment, we could check the computer certificates, but we do not, nor can we.

Or is there a way to have the ASA 'proxy' do something similar to the Kerberos authentication that the computer would do with AD in order to validate access?

In other words, is there a Computer equivalent to the User AAA:

aaa-server AD-LDAP protocol ldap
aaa-server AD-LDAP (INSIDE) host AD-SERVER
ldap-base-dn OU=Users,OU=Dept,DC=company,DC=org
ldap-scope subtree
ldap-naming-attribute userPrincipalName
ldap-login-password *****
ldap-login-dn CN=vpn.service.account,OU=ServiceAccounts,OU=Users,OU=Dept,DC=company,DC=org

where you could change userPrincipalName to maybe the computer CN and base-dn to the Computers container?

Best Answer

In general, if you are utilizing Cisco Secure Desktop, this opens up a whole world of options to give you restrictions based on the device.

Just as an example off of the top of my head, you could do the following. I haven't had the opportunity to test this configuration, however I have seen similar configurations in the field.

  1. Create a Group Policy in AD that creates a specific registry entry called VPN-ACCESS (for example) on every desktop that will be accessing the VPN.
  2. Create a security group and disable inheritance of the first Group Policy. In it's place, configure a Group Policy that deletes the VPN-ACCESS registry entry if it exists.
  3. Place all PCs are not allowed to have VPN access into this security group. This step would require some scripting elbow grease to ensure that your "blocked" PC's got put into the security group based on whatever criteria you chose.
  4. In Cisco Secure Desktop, have it evaluate if that registry entry exists, if it doesn't exist then block access.

This would take care of only allowing "known" PCs into the VPN, as well as allowing you to explicitly blacklist PCs.

I'm sure there are other ways to do this as well, and this may not even be the best way by far.

The main thrust is, once you've paid for the Anyconnect Premium licenses and have deployed Cisco Secure Desktop, you're only restrained by your ingenuity with regards to what kind of "better mouse trap" you build.

See the CSD Admin Guide for more information on all of it's bells and whistles.

Related Topic