vpn design question

gschertz · ‎01-31-2006

Is there a way to restrict or log a remote access client to a matching pair of mac address and user/password login?

I want to be able to track all the remote access vpn clients using both the mac and the username/ password used. I also need to track when and how long the user was connected to the network.

sachinraja · ‎02-03-2006

hello..

you can definitely use usernames/password pair for each user through an ACS server. Once any user connects to the network, the vpn device forwards the requests to the ACS server and checks the user credentials. once authenticated, they get access to the network...

you can use the vpn monitor of the cisco vms package to track the vpn sessions. it gives you a very good history of the vpn users connected..... am really not sure if ACS can do mac authentication for dialin users...

Raj

gschertz · ‎02-09-2006

Well right now I set the customer up to use a different VPN group for each user. This allows them to use the PDM and monitor each tunnel to see if the user is on the network or not. What they would realy like is to lock each VPN group to a specific mac address. So for example salesperson A can only use VPN group SalesA and can only use their laptop to access the SalesA VPN group. And or a way to trap or log the mac address that is used by the user to access the network. And log a history of when users where on the network. So what the customer is looking for is

1 a log of what mac addresses and IP addresses are used to access the network

2. a history ( perferably a graffic history) of when the users are on the network.

Can anyone see a posible way to do this? Does cisco have a mib for the VPN tunnels that can be accesses with MRTG, net monitor, or other snmp program that provides a graphic history?

Can I use an mac access list on a VPNgroup? to lock the users to the company provided laptops?