Solved: MAR for VPN users in ACS 4.2

Satya Siba Sundar Mishra · ‎06-29-2011

HI,

I am using ACS 4.2 in my setup. We have VPN users of my company. Identity authentication of VPN users are currently happenning through ACS and AD. I want users login to VPN should only use company provided laptop. Hence I want to impliment MAR which will verify the machine name in AD and if the machine name is found in computer group of AD then only his User ID and Password will be validated and on basis of that validation the user will be permited to access network resource. Currently I dont have any certificate server and users can log on to VPN from any cmputer(Home computer), just by using their user id and password.

All document I got describes about 802.1x client with certificate authentication through MAR.

Please help me to achieve this requiremnet. I want without any certificate when any user wants to connect to VPN his system name will be validated through ACS & AD group then after username password verification will occure.

Please help me....

Tarik Admani · ‎07-14-2011

Satya,

You will not be able to enforce MAR for a remote access scenario since MAR in the ACS realm is for clients that are terminating on switches using a supplicant and dot1x. In this case using a vpn client and an ASA you can deploy a DAP policy in which you can check for a specific registry key on the workstations that belong to your network.

You may want to pose the same questions in the VPN forums but here is the configuration guide for deploying DAP:

http://www.cisco.com/en/US/products/ps6120/products_white_paper09186a00809fcf38.shtml

Thanks,

Tarik

View solution in original post

Tarik Admani · ‎07-14-2011