03-14-2008 02:57 PM - edited 03-10-2019 03:43 PM
We have ACS 4.1 in network. We have some user w0rk from home. they can access corporate network using Cisco VPN client. Issue is some users copy the van client software and profile on their Home PC/Laptop and access the network instead of using their office laptop.
Now we want to restrict the home users to use their Home PC for logging in corporate network.
Is there any soln in ACS that we can control the user to log in only with company laptop. They can not login in network with home PC.
Thanks,
03-16-2008 03:49 AM
May be you can use NAC Solution with using CTA (Cisco Trust Agent) or CCA (Cisco Clean Agent).
03-16-2008 05:16 AM
I do not think Cisco ACS can do that but I've
implemented this at work on a different
product at work and I know it can be done.
1- company laptop is built on a standard image
version. The version is stored in the registry
of the machine,
2- We use Juniper steelbelted radius with RSA
SecurID authentication
3- We have Juniper SSL VPN concentrator,
4- When users from home connect to the Juniper
SSL VPN, they are required to authenticate
via steelbelted radius which then proxy off
the connection to RSA SecurID
5- Once they are authenticated, before users
are permitted to connected to the network,
the Juniper SSL VPN device will check for the
following:
a- are you using company corporate image?
b- are you using anti-virus software?
if both a & b are true, then they are
permitted to connect. If either a or b
fails, they will not be permitted to connect.
Nothing to be installed on the client PC which
make support much easier
CCIE Security
03-17-2008 09:10 AM
We have remot use IPsec with cisco VPN client and they connect to cisco ASA.
Can you help me out with that if you have any doc or link.
04-24-2008 02:10 AM
Have you tried using the custom scripting capabilities within the Cisco Trust Agent? We have tested this and it allows you to basically do any check on the system because you are in control of what the script does. In the end it simply outputs a value that the ACS server understands for the different tokens.
01-23-2009 11:05 PM
Sorry - thats not true completely, dear CCIE Security.
Sure, Juniper Secure Access can check for anything - but when you want to check, then the Juniper Hostchecker has to be installed on the clients device.
This technic works good - but not allways, i had problems on maybe 10% of the remote access users with hostchecker issues. Its enbedded solution in the webbrowser, and the more functions you use, the more complicated it gets and the more risk that something could go wrong. Especially with firefox browser updates you have problems, as Juniper IVE is not allways compatible with latest browser updates.
So IF USING JUNIPER ACCESS,there are two ways to enforce that its a corporate laptop - one is a client certificate, the other would be a user-agent string which can be checked WITHOUT hostchecker, when user connects to the IVE Webportal it automatically allways sends the browser user-agent string. And if this string is part of the rolemapping ruleset, you can configure easily actions.
The problem with juniper is also GINA, the vpn before windows logon feature works much more stable with Cisco VPN IPSEC Client.
cheers, spacyfreak
04-24-2008 03:31 AM
You should be able to achieve this using posture-checking with ACS, see the following URL.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide