I haven't read up the cert authentication much, but what stops the user
from moving the cert file to another un-approved device (per the
original question) - all you are doing is Two-factor at that point -
user but not host based checking correct?
-James
Matthew White wrote:
Hi Scott,
Certificate based authentication can meet these needs.
This document is just a starting point -- the client certificate installation
procedure is onerous. If you have a MS environment it's easier to push out
certs with group policy objects than making your end users download and install
certificates.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080930f21.shtml
-mtw
-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of Scott Granados
Sent: Wednesday, November 04, 2009 9:43 AM
To: [email protected]
Subject: [c-nsp] Restricting VPN connections to company hardware?
Hi,
I've been googling but not finding much although I think
I'm probably
formulating my search incorrectly so I'm hoping for some
pointers here.
I use ASA 5520 hardware to provide VPN services to end
users with Cisco
VPN clients and some L2L sessions. We've been finding that folks are
configuring IPhones and other non approved devices to attach
to the network.
What's the best method to certify that end users are connecting with
approved devices only? Is there a good way say for me to
allow company
provided laptops but not allow clients from home machines where users
duplicate their profile or non-certified end devices like
pocket PC devices?
I understand how to filter based on client type but this
doesn't prevent
someone from copying their profile file from one machine to
another. Any
pointers would be appreciated.
Thanks
Scott
_______________________________________________
cisco-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/