Why is it not possible to check it against the MAC address of the
connecting device? Log incoming connections and their MAC address and
match it against a list of hardware that has been assigned to the users.
On 06-Nov-2009, at 10:00 AM, James Michael Keller wrote:
I haven't read up the cert authentication much, but what stops the
user from moving the cert file to another un-approved device (per
the original question) - all you are doing is Two-factor at that
point - user but not host based checking correct?
-James
Matthew White wrote:
Hi Scott,
Certificate based authentication can meet these needs.
This document is just a starting point -- the client certificate
installation procedure is onerous. If you have a MS environment
it's easier to push out certs with group policy objects than making
your end users download and install certificates.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080930f21.shtml
-mtw
-----Original Message-----
From: [email protected] [mailto:cisco-nsp-
[email protected]] On Behalf Of Scott Granados
Sent: Wednesday, November 04, 2009 9:43 AM
To: [email protected]
Subject: [c-nsp] Restricting VPN connections to company hardware?
Hi,
I've been googling but not finding much although I think I'm
probably formulating my search incorrectly so I'm hoping for some
pointers here.
I use ASA 5520 hardware to provide VPN services to end users
with Cisco VPN clients and some L2L sessions. We've been finding
that folks are configuring IPhones and other non approved devices
to attach to the network. What's the best method to certify that
end users are connecting with approved devices only? Is there a
good way say for me to allow company provided laptops but not
allow clients from home machines where users duplicate their
profile or non-certified end devices like pocket PC devices? I
understand how to filter based on client type but this doesn't
prevent someone from copying their profile file from one machine
to another. Any pointers would be appreciated.
Thanks
Scott
_______________________________________________
cisco-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/