[c-nsp] Restricting VPN connections to company hardware?

mark [at] edgewire mark at edgewire.sg
Thu Nov 5 22:10:14 EST 2009 

Why is it not possible to check it against the MAC address of the  
connecting device? Log incoming connections and their MAC address and  
match it against a list of hardware that has been assigned to the users.

On 06-Nov-2009, at 10:00 AM, James Michael Keller wrote:

> I haven't read up the cert authentication much, but what stops the  
> user from moving the cert file to another un-approved device (per  
> the original question) - all you are doing is Two-factor at that  
> point - user but not host based checking correct?
>
> -James
>
> Matthew White wrote:
>> Hi Scott,
>>
>> Certificate based authentication can meet these needs.
>>
>> This document is just a starting point -- the client certificate  
>> installation procedure is onerous. If you have a MS environment  
>> it's easier to push out certs with group policy objects than making  
>> your end users download and install certificates.
>>
>> http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080930f21.shtml
>>
>>
>> -mtw
>>
>>
>>
>>> -----Original Message-----
>>> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- 
>>> bounces at puck.nether.net] On Behalf Of Scott Granados
>>> Sent: Wednesday, November 04, 2009 9:43 AM
>>> To: cisco-nsp at puck.nether.net
>>> Subject: [c-nsp] Restricting VPN connections to company hardware?
>>>
>>> Hi,
>>>    I've been googling but not finding much although I think I'm  
>>> probably formulating my search incorrectly so I'm hoping for some  
>>> pointers here.
>>>    I use ASA 5520 hardware to provide VPN services to end users  
>>> with Cisco VPN clients and some L2L sessions.  We've been finding  
>>> that folks are configuring IPhones and other non approved devices  
>>> to attach to the network. What's the best method to certify that  
>>> end users are connecting with approved devices only?  Is there a  
>>> good way say for me to allow company provided laptops but not  
>>> allow clients from home machines where users duplicate their  
>>> profile or non-certified end devices like pocket PC devices? I  
>>> understand how to filter based on client type but this doesn't  
>>> prevent someone from copying their profile file from one machine  
>>> to another.   Any pointers would be appreciated.
>>>
>>> Thanks
>>> Scott
>>>
>>> _______________________________________________
>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>
>>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list