[c-nsp] Restricting VPN connections to company hardware?

Matthew White mawhi at vestas.com
Wed Nov 4 15:26:32 EST 2009


Hi Scott,

Certificate based authentication can meet these needs.

This document is just a starting point -- the client certificate installation procedure is onerous. If you have a MS environment it's easier to push out certs with group policy objects than making your end users download and install certificates.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080930f21.shtml


-mtw

 

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net 
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Scott Granados
> Sent: Wednesday, November 04, 2009 9:43 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Restricting VPN connections to company hardware?
> 
> Hi,
>     I've been googling but not finding much although I think 
> I'm probably 
> formulating my search incorrectly so I'm hoping for some 
> pointers here.
>     I use ASA 5520 hardware to provide VPN services to end 
> users with Cisco 
> VPN clients and some L2L sessions.  We've been finding that folks are 
> configuring IPhones and other non approved devices to attach 
> to the network. 
> What's the best method to certify that end users are connecting with 
> approved devices only?  Is there a good way say for me to 
> allow company 
> provided laptops but not allow clients from home machines where users 
> duplicate their profile or non-certified end devices like 
> pocket PC devices? 
> I understand how to filter based on client type but this 
> doesn't prevent 
> someone from copying their profile file from one machine to 
> another.   Any 
> pointers would be appreciated.
> 
> Thanks
> Scott
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 


More information about the cisco-nsp mailing list