My understanding is the Cisco VPN (IPSEC) client don't have the host integration features that are available in the AnyConnect client (yet). One of the reasons we are doing SSL VPN on ASA is to be able to do the host profiling and do the IT Approved / Other dynamic access policies.

You can do a combination of checks that match up to your 'approved' devices. In our case, non-IT standard systems have to run Secure Desktop sessions and only get WebVPN. IT standard systems get AnyConnect with full IP tunneling.

Again as folks have said - you are trusting the end client software to do the right thing. So don't expect this to keep out 'the smart kids'. You can cycle through checks and do MD5s, but if someone is motivated and wants to reverse the checks they can spoof it. At that point you just need to back up policy with HR walking someone from the building, and have some way to audit to catch the smart kids who really should know better but think the Corp IT folks are fools.

:)

-James

Scott Granados wrote:
Hi,
I've been googling but not finding much although I think I'm probably formulating my search incorrectly so I'm hoping for some pointers here. I use ASA 5520 hardware to provide VPN services to end users with Cisco VPN clients and some L2L sessions. We've been finding that folks are configuring IPhones and other non approved devices to attach to the network. What's the best method to certify that end users are connecting with approved devices only? Is there a good way say for me to allow company provided laptops but not allow clients from home machines where users duplicate their profile or non-certified end devices like pocket PC devices? I understand how to filter based on client type but this doesn't prevent someone from copying their profile file from one machine to another. Any pointers would be appreciated.

Thanks
Scott

_______________________________________________
cisco-nsp mailing list  [email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list  [email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Reply via email to