[c-nsp] Restricting VPN connections to company hardware?

Randy randy_94108 at yahoo.com
Thu Nov 5 23:18:13 EST 2009 

..with user certs, nothing stops the user from importing it to another un-approved machine..one reason at my last job we moved to machine certs/appliance based ssl vpn solution.

--- On Thu, 11/5/09, James Michael Keller <jmkeller at houseofzen.org> wrote:


From: James Michael Keller <jmkeller at houseofzen.org>
Subject: Re: [c-nsp] Restricting VPN connections to company hardware?
To: "Matthew White" <mawhi at vestas.com>
Cc: "cisco-nsp at puck.nether.net" <cisco-nsp at puck.nether.net>
Date: Thursday, November 5, 2009, 6:00 PM


I haven't read up the cert authentication much, but what stops the user from moving the cert file to another un-approved device (per the original question) - all you are doing is Two-factor at that point - user but not host based checking correct?

-James

Matthew White wrote:
> Hi Scott,
> 
> Certificate based authentication can meet these needs.
> 
> This document is just a starting point -- the client certificate installation procedure is onerous. If you have a MS environment it's easier to push out certs with group policy objects than making your end users download and install certificates.
> 
> http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080930f21.shtml
> 
> 
> -mtw
> 
>  
>   
>> -----Original Message-----
>> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Scott Granados
>> Sent: Wednesday, November 04, 2009 9:43 AM
>> To: cisco-nsp at puck.nether.net
>> Subject: [c-nsp] Restricting VPN connections to company hardware?
>> 
>> Hi,
>>     I've been googling but not finding much although I think I'm probably formulating my search incorrectly so I'm hoping for some pointers here.
>>     I use ASA 5520 hardware to provide VPN services to end users with Cisco VPN clients and some L2L sessions.  We've been finding that folks are configuring IPhones and other non approved devices to attach to the network. What's the best method to certify that end users are connecting with approved devices only?  Is there a good way say for me to allow company provided laptops but not allow clients from home machines where users duplicate their profile or non-certified end devices like pocket PC devices? I understand how to filter based on client type but this doesn't prevent someone from copying their profile file from one machine to another.   Any pointers would be appreciated.
>> 
>> Thanks
>> Scott
>> 
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>> 
>>     
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>   

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list