Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
783
Views
0
Helpful
5
Replies

Preventing home computers from connecting to VPN

WILLIAM STEGMAN
Level 4
Level 4

‎07-12-2011 12:34 PM

I'm looking at possible ways to prevent computers that are not company issued from connecting via VPN.  I'm aware of an option that would include certificates issued by an active directory certificate authority to domain members and then requiring that certificate to be used by a vpn client, but does anyone else know of any methods or products to accomplish this, or is even using some alternative method in production today?

thank you,

Bill

Labels:
0 Helpful
5 Replies 5

andrew.prince
Level 10
Level 10

‎07-13-2011 04:19 AM

This is a tricky issue, companies normally roll out RSA token authentication and or certificates to identify authorised users. However, if you have an ACS you can take advantage of the active directory attribute "remote access enabled" and only allow users that should be able. This only provides half of the solution allowing people, this does not stop them copying the .pcf file to another machine.

Using the cisco secure desktop feature, you can perform limited machine authentication, by checking to see if a file or registry entry exists on the machine trying to connect, if it does then allow the VPN to connect. If not, drop the connection, see the below

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008072aa6c.shtml

Sent from Cisco Technical Support iPad App

0 Helpful

WILLIAM STEGMAN
Level 4
Level 4
In response to andrew.prince

‎07-13-2011 07:13 AM

Andrew, does cisco secure desktop apply to clients using the vpn client?  I thought it only applies to SSL vpn connections.

0 Helpful

andrew.prince
Level 10
Level 10
In response to WILLIAM STEGMAN

‎07-13-2011 07:22 AM

Yes - sorry i forgot to mention that stipulation.  If you are just using the VPN Client Application - then your only real option is certificates.

0 Helpful

WILLIAM STEGMAN
Level 4
Level 4
In response to andrew.prince

‎07-13-2011 07:39 AM

Looking at the examples for the certificate based setup, it looks like I would have to setup an identity certificate for every user that would want to connect using a certificate.  Is that accurate?

http://www.cisco.com/image/gif/paws/100413/asavpnclient_ca.pdf

0 Helpful

andrew.prince
Level 10
Level 10
In response to WILLIAM STEGMAN

‎07-13-2011 07:43 AM

Pretty much - that's why if you have a large user base, this kind of project piggy backs a PKI Solution.

0 Helpful
Customers Also Viewed These Support Documents
Top