ACS 4.2 NAP - advanced filter

tech-intercom · ‎01-29-2010

hi,

i must configure advanced filter in NAP setup on acs 4.2 and need grant access only user, in domain, that match the pofile.

must avoid access to external users that steel credential as "rogue users".

which is the value i must select for avoid tihs condition?

some ideas?

thx for all

best regards

darpotter · ‎01-29-2010

If a rogue user has access to a valid username/password its a challenge to detect this. You could use

RSA tokens, probably the easiest method from ACS perspective... no passwords to steal and requires a PIN.
NARs. Painful but if you knew the mac address(es) each user might use its possible to catch stolen credentials
NAC, If valid users have a NAC aware client, ACS can interrogate the registry on the client to check for known keys/values

Neither 2 or 3 would handle a stolen laptop. No easy answers here Im afraid. The question is really "how would you determine if someone on the network was legit" - if you cant tell, ACS will not be able to either.

FWIW the advanced filtering on the NAP page is more intended as a method by which the desired network service can be determined, and therefore handled by the appropriate policy (WLAN, VPN, etc).

tech-intercom · ‎01-29-2010

i try to use eap-tls for certificate-authentication-machine, but i have a problem with CA(certification authority);

i must to trust the machine(computer) and no the user, becouse i need use the single computer for multi-client logging.

use certificate is only method for avoid steel credential i think

are you a case-study for example?

thx a lot