We have ACS 4.1 in network. We have some user w0rk from home. they can access corporate network using Cisco VPN client. Issue is some users copy the van client software and profile on their Home PC/Laptop and access the network instead of using their office laptop.
Now we want to restrict the home users to use their Home PC for logging in corporate network.
Is there any soln in ACS that we can control the user to log in only with company laptop. They can not login in network with home PC.
I do not think Cisco ACS can do that but I've
implemented this at work on a different
product at work and I know it can be done.
1- company laptop is built on a standard image
version. The version is stored in the registry
of the machine,
2- We use Juniper steelbelted radius with RSA
3- We have Juniper SSL VPN concentrator,
4- When users from home connect to the Juniper
SSL VPN, they are required to authenticate
via steelbelted radius which then proxy off
the connection to RSA SecurID
5- Once they are authenticated, before users
are permitted to connected to the network,
the Juniper SSL VPN device will check for the
a- are you using company corporate image?
b- are you using anti-virus software?
if both a & b are true, then they are
permitted to connect. If either a or b
fails, they will not be permitted to connect.
Nothing to be installed on the client PC which
make support much easier
Have you tried using the custom scripting capabilities within the Cisco Trust Agent? We have tested this and it allows you to basically do any check on the system because you are in control of what the script does. In the end it simply outputs a value that the ACS server understands for the different tokens.
Sorry - thats not true completely, dear CCIE Security.
Sure, Juniper Secure Access can check for anything - but when you want to check, then the Juniper Hostchecker has to be installed on the clients device.
This technic works good - but not allways, i had problems on maybe 10% of the remote access users with hostchecker issues. Its enbedded solution in the webbrowser, and the more functions you use, the more complicated it gets and the more risk that something could go wrong. Especially with firefox browser updates you have problems, as Juniper IVE is not allways compatible with latest browser updates.
So IF USING JUNIPER ACCESS,there are two ways to enforce that its a corporate laptop - one is a client certificate, the other would be a user-agent string which can be checked WITHOUT hostchecker, when user connects to the IVE Webportal it automatically allways sends the browser user-agent string. And if this string is part of the rolemapping ruleset, you can configure easily actions.
The problem with juniper is also GINA, the vpn before windows logon feature works much more stable with Cisco VPN IPSEC Client.
You should be able to achieve this using posture-checking with ACS, see the following URL.