..with user certs, nothing stops the user from importing it to another 
un-approved machine..one reason at my last job we moved to machine 
certs/appliance based ssl vpn solution.

--- On Thu, 11/5/09, James Michael Keller <[email protected]> wrote:


From: James Michael Keller <[email protected]>
Subject: Re: [c-nsp] Restricting VPN connections to company hardware?
To: "Matthew White" <[email protected]>
Cc: "[email protected]" <[email protected]>
Date: Thursday, November 5, 2009, 6:00 PM


I haven't read up the cert authentication much, but what stops the user from 
moving the cert file to another un-approved device (per the original question) 
- all you are doing is Two-factor at that point - user but not host based 
checking correct?

-James

Matthew White wrote:
> Hi Scott,
> 
> Certificate based authentication can meet these needs.
> 
> This document is just a starting point -- the client certificate installation 
> procedure is onerous. If you have a MS environment it's easier to push out 
> certs with group policy objects than making your end users download and 
> install certificates.
> 
> http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080930f21.shtml
> 
> 
> -mtw
> 
>  
>   
>> -----Original Message-----
>> From: [email protected] 
>> [mailto:[email protected]] On Behalf Of Scott Granados
>> Sent: Wednesday, November 04, 2009 9:43 AM
>> To: [email protected]
>> Subject: [c-nsp] Restricting VPN connections to company hardware?
>> 
>> Hi,
>>     I've been googling but not finding much although I think I'm probably 
>>formulating my search incorrectly so I'm hoping for some pointers here.
>>     I use ASA 5520 hardware to provide VPN services to end users with Cisco 
>>VPN clients and some L2L sessions.  We've been finding that folks are 
>>configuring IPhones and other non approved devices to attach to the network. 
>>What's the best method to certify that end users are connecting with approved 
>>devices only?  Is there a good way say for me to allow company provided 
>>laptops but not allow clients from home machines where users duplicate their 
>>profile or non-certified end devices like pocket PC devices? I understand how 
>>to filter based on client type but this doesn't prevent someone from copying 
>>their profile file from one machine to another.   Any pointers would be 
>>appreciated.
>> 
>> Thanks
>> Scott
>> 
>> _______________________________________________
>> cisco-nsp mailing list  [email protected]
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>> 
>>     
> _______________________________________________
> cisco-nsp mailing list  [email protected]
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>   

_______________________________________________
cisco-nsp mailing list  [email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list  [email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Reply via email to