..with user certs, nothing stops the user from importing it to another un-approved machine..one reason at my last job we moved to machine certs/appliance based ssl vpn solution.
--- On Thu, 11/5/09, James Michael Keller <[email protected]> wrote: From: James Michael Keller <[email protected]> Subject: Re: [c-nsp] Restricting VPN connections to company hardware? To: "Matthew White" <[email protected]> Cc: "[email protected]" <[email protected]> Date: Thursday, November 5, 2009, 6:00 PM I haven't read up the cert authentication much, but what stops the user from moving the cert file to another un-approved device (per the original question) - all you are doing is Two-factor at that point - user but not host based checking correct? -James Matthew White wrote: > Hi Scott, > > Certificate based authentication can meet these needs. > > This document is just a starting point -- the client certificate installation > procedure is onerous. If you have a MS environment it's easier to push out > certs with group policy objects than making your end users download and > install certificates. > > http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080930f21.shtml > > > -mtw > > > >> -----Original Message----- >> From: [email protected] >> [mailto:[email protected]] On Behalf Of Scott Granados >> Sent: Wednesday, November 04, 2009 9:43 AM >> To: [email protected] >> Subject: [c-nsp] Restricting VPN connections to company hardware? >> >> Hi, >> I've been googling but not finding much although I think I'm probably >>formulating my search incorrectly so I'm hoping for some pointers here. >> I use ASA 5520 hardware to provide VPN services to end users with Cisco >>VPN clients and some L2L sessions. We've been finding that folks are >>configuring IPhones and other non approved devices to attach to the network. >>What's the best method to certify that end users are connecting with approved >>devices only? Is there a good way say for me to allow company provided >>laptops but not allow clients from home machines where users duplicate their >>profile or non-certified end devices like pocket PC devices? I understand how >>to filter based on client type but this doesn't prevent someone from copying >>their profile file from one machine to another. Any pointers would be >>appreciated. >> >> Thanks >> Scott >> >> _______________________________________________ >> cisco-nsp mailing list [email protected] >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> > _______________________________________________ > cisco-nsp mailing list [email protected] > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
