[c-nsp] Restricting VPN connections to company hardware?

Andrey Kozlov ak at gaaga.org
Fri Nov 6 07:59:04 EST 2009 

Hi, James!

It is possible to make private key non-exportable. So, once installed
certificate can't be exported in future.

Cheers.

On Fri, Nov 6, 2009 at 4:00 AM, James Michael Keller <
jmkeller at houseofzen.org> wrote:

> I haven't read up the cert authentication much, but what stops the user
> from moving the cert file to another un-approved device (per the original
> question) - all you are doing is Two-factor at that point - user but not
> host based checking correct?
>
> -James
>
>
> Matthew White wrote:
>
>> Hi Scott,
>>
>> Certificate based authentication can meet these needs.
>>
>> This document is just a starting point -- the client certificate
>> installation procedure is onerous. If you have a MS environment it's easier
>> to push out certs with group policy objects than making your end users
>> download and install certificates.
>>
>>
>> http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080930f21.shtml
>>
>>
>> -mtw
>>
>>
>>
>>
>>> -----Original Message-----
>>> From: cisco-nsp-bounces at puck.nether.net [mailto:
>>> cisco-nsp-bounces at puck.nether.net] On Behalf Of Scott Granados
>>> Sent: Wednesday, November 04, 2009 9:43 AM
>>> To: cisco-nsp at puck.nether.net
>>> Subject: [c-nsp] Restricting VPN connections to company hardware?
>>>
>>> Hi,
>>>    I've been googling but not finding much although I think I'm probably
>>> formulating my search incorrectly so I'm hoping for some pointers here.
>>>    I use ASA 5520 hardware to provide VPN services to end users with
>>> Cisco VPN clients and some L2L sessions.  We've been finding that folks are
>>> configuring IPhones and other non approved devices to attach to the network.
>>> What's the best method to certify that end users are connecting with
>>> approved devices only?  Is there a good way say for me to allow company
>>> provided laptops but not allow clients from home machines where users
>>> duplicate their profile or non-certified end devices like pocket PC devices?
>>> I understand how to filter based on client type but this doesn't prevent
>>> someone from copying their profile file from one machine to another.   Any
>>> pointers would be appreciated.
>>>
>>> Thanks
>>> Scott
>>>
>>> _______________________________________________
>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>
>>>
>>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list