ACS 4.2 NAP - advanced filter

Unanswered Question
Jan 29th, 2010
User Badges:

hi,

i must configure advanced filter in NAP setup on acs 4.2 and need grant access only user, in domain, that match the pofile.


must avoid access to external users that steel credential as "rogue users".


which is the value i must select for avoid tihs condition?




some ideas?


thx for all

best regards

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
darpotter Fri, 01/29/2010 - 03:42
User Badges:
  • Silver, 250 points or more

If a rogue user has access to a valid username/password its a challenge to detect this. You could use


  1. RSA tokens, probably the easiest method from ACS perspective... no passwords to steal and requires a PIN.
  2. NARs. Painful but if you knew the mac address(es) each user might use its possible to catch stolen credentials
  3. NAC, If valid users have a NAC aware client, ACS can interrogate the registry on the client to check for known keys/values


Neither 2 or 3 would handle a stolen laptop. No easy answers here Im afraid. The question is really "how would you determine if someone on the network was legit" - if you cant tell, ACS will not be able to either.


FWIW the advanced filtering on the NAP page is more intended as a method by which the desired network service can be determined, and therefore handled by the appropriate policy (WLAN, VPN, etc).

tech-intercom Fri, 01/29/2010 - 03:51
User Badges:

i try to use eap-tls for certificate-authentication-machine, but i have a problem with CA(certification authority);


i must to trust the machine(computer) and no the user, becouse i need use the single computer for multi-client logging.


use certificate is only method for avoid steel credential i think


are you a case-study for example?


thx a lot

Actions

This Discussion