[c-nsp] Restricting VPN connections to company hardware?

James Michael Keller jmkeller at houseofzen.org
Thu Nov 5 21:00:39 EST 2009 

I haven't read up the cert authentication much, but what stops the user 
from moving the cert file to another un-approved device (per the 
original question) - all you are doing is Two-factor at that point - 
user but not host based checking correct?

-James

Matthew White wrote:
> Hi Scott,
>
> Certificate based authentication can meet these needs.
>
> This document is just a starting point -- the client certificate installation procedure is onerous. If you have a MS environment it's easier to push out certs with group policy objects than making your end users download and install certificates.
>
> http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080930f21.shtml
>
>
> -mtw
>
>  
>
>   
>> -----Original Message-----
>> From: cisco-nsp-bounces at puck.nether.net 
>> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Scott Granados
>> Sent: Wednesday, November 04, 2009 9:43 AM
>> To: cisco-nsp at puck.nether.net
>> Subject: [c-nsp] Restricting VPN connections to company hardware?
>>
>> Hi,
>>     I've been googling but not finding much although I think 
>> I'm probably 
>> formulating my search incorrectly so I'm hoping for some 
>> pointers here.
>>     I use ASA 5520 hardware to provide VPN services to end 
>> users with Cisco 
>> VPN clients and some L2L sessions.  We've been finding that folks are 
>> configuring IPhones and other non approved devices to attach 
>> to the network. 
>> What's the best method to certify that end users are connecting with 
>> approved devices only?  Is there a good way say for me to 
>> allow company 
>> provided laptops but not allow clients from home machines where users 
>> duplicate their profile or non-certified end devices like 
>> pocket PC devices? 
>> I understand how to filter based on client type but this 
>> doesn't prevent 
>> someone from copying their profile file from one machine to 
>> another.   Any 
>> pointers would be appreciated.
>>
>> Thanks
>> Scott
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>>     
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list