Why is it not possible to check it against the MAC address of the connecting device? Log incoming connections and their MAC address and match it against a list of hardware that has been assigned to the users.

On 06-Nov-2009, at 10:00 AM, James Michael Keller wrote:

I haven't read up the cert authentication much, but what stops the user from moving the cert file to another un-approved device (per the original question) - all you are doing is Two-factor at that point - user but not host based checking correct?

-James

Matthew White wrote:
Hi Scott,

Certificate based authentication can meet these needs.

This document is just a starting point -- the client certificate installation procedure is onerous. If you have a MS environment it's easier to push out certs with group policy objects than making your end users download and install certificates.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080930f21.shtml


-mtw



-----Original Message-----
From: [email protected] [mailto:cisco-nsp- [email protected]] On Behalf Of Scott Granados
Sent: Wednesday, November 04, 2009 9:43 AM
To: [email protected]
Subject: [c-nsp] Restricting VPN connections to company hardware?

Hi,
I've been googling but not finding much although I think I'm probably formulating my search incorrectly so I'm hoping for some pointers here. I use ASA 5520 hardware to provide VPN services to end users with Cisco VPN clients and some L2L sessions. We've been finding that folks are configuring IPhones and other non approved devices to attach to the network. What's the best method to certify that end users are connecting with approved devices only? Is there a good way say for me to allow company provided laptops but not allow clients from home machines where users duplicate their profile or non-certified end devices like pocket PC devices? I understand how to filter based on client type but this doesn't prevent someone from copying their profile file from one machine to another. Any pointers would be appreciated.

Thanks
Scott

_______________________________________________
cisco-nsp mailing list  [email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


_______________________________________________
cisco-nsp mailing list  [email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


_______________________________________________
cisco-nsp mailing list  [email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list  [email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Reply via email to