My understanding is the Cisco VPN (IPSEC) client don't have the host
integration features that are available in the AnyConnect client
(yet). One of the reasons we are doing SSL VPN on ASA is to be able to
do the host profiling and do the IT Approved / Other dynamic access
policies.
You can do a combination of checks that match up to your 'approved'
devices.
In our case, non-IT standard systems have to run Secure Desktop sessions
and only get WebVPN. IT standard systems get AnyConnect with full IP
tunneling.
Again as folks have said - you are trusting the end client software to
do the right thing. So don't expect this to keep out 'the smart
kids'. You can cycle through checks and do MD5s, but if someone is
motivated and wants to reverse the checks they can spoof it. At that
point you just need to back up policy with HR walking someone from the
building, and have some way to audit to catch the smart kids who really
should know better but think the Corp IT folks are fools.
:)
-James
Scott Granados wrote:
Hi,
I've been googling but not finding much although I think I'm
probably formulating my search incorrectly so I'm hoping for some
pointers here.
I use ASA 5520 hardware to provide VPN services to end users with
Cisco VPN clients and some L2L sessions. We've been finding that
folks are configuring IPhones and other non approved devices to attach
to the network. What's the best method to certify that end users are
connecting with approved devices only? Is there a good way say for me
to allow company provided laptops but not allow clients from home
machines where users duplicate their profile or non-certified end
devices like pocket PC devices? I understand how to filter based on
client type but this doesn't prevent someone from copying their
profile file from one machine to another. Any pointers would be
appreciated.
Thanks
Scott
_______________________________________________
cisco-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/