ACS to control home users to use only company laptop

sanketpatel · ‎03-14-2008

We have ACS 4.1 in network. We have some user w0rk from home. they can access corporate network using Cisco VPN client. Issue is some users copy the van client software and profile on their Home PC/Laptop and access the network instead of using their office laptop.

Now we want to restrict the home users to use their Home PC for logging in corporate network.

Is there any soln in ACS that we can control the user to log in only with company laptop. They can not login in network with home PC.

Thanks,

giordano234 · ‎03-16-2008

May be you can use NAC Solution with using CTA (Cisco Trust Agent) or CCA (Cisco Clean Agent).

cisco24x7 · ‎03-16-2008

I do not think Cisco ACS can do that but I've

implemented this at work on a different

product at work and I know it can be done.

1- company laptop is built on a standard image

version. The version is stored in the registry

of the machine,

2- We use Juniper steelbelted radius with RSA

SecurID authentication

3- We have Juniper SSL VPN concentrator,

4- When users from home connect to the Juniper

SSL VPN, they are required to authenticate

via steelbelted radius which then proxy off

the connection to RSA SecurID

5- Once they are authenticated, before users

are permitted to connected to the network,

the Juniper SSL VPN device will check for the

following:

a- are you using company corporate image?

b- are you using anti-virus software?

if both a & b are true, then they are

permitted to connect. If either a or b

fails, they will not be permitted to connect.

Nothing to be installed on the client PC which

make support much easier

CCIE Security

sanketpatel · ‎03-17-2008

We have remot use IPsec with cisco VPN client and they connect to cisco ASA.

Can you help me out with that if you have any doc or link.

t3watts33 · ‎04-24-2008

Have you tried using the custom scripting capabilities within the Cisco Trust Agent? We have tested this and it allows you to basically do any check on the system because you are in control of what the script does. In the end it simply outputs a value that the ACS server understands for the different tokens.

d.novakovic · ‎01-23-2009

Sorry - thats not true completely, dear CCIE Security.

Sure, Juniper Secure Access can check for anything - but when you want to check, then the Juniper Hostchecker has to be installed on the clients device.

This technic works good - but not allways, i had problems on maybe 10% of the remote access users with hostchecker issues. Its enbedded solution in the webbrowser, and the more functions you use, the more complicated it gets and the more risk that something could go wrong. Especially with firefox browser updates you have problems, as Juniper IVE is not allways compatible with latest browser updates.

So IF USING JUNIPER ACCESS,there are two ways to enforce that its a corporate laptop - one is a client certificate, the other would be a user-agent string which can be checked WITHOUT hostchecker, when user connects to the IVE Webportal it automatically allways sends the browser user-agent string. And if this string is part of the rolemapping ruleset, you can configure easily actions.

The problem with juniper is also GINA, the vpn before windows logon feature works much more stable with Cisco VPN IPSEC Client.

cheers, spacyfreak

jawicks · ‎04-24-2008

You should be able to achieve this using posture-checking with ACS, see the following URL.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/PstrVal.html