ASA SSL VPN - Locking it down to corporate computers

Unanswered Question
Feb 19th, 2010

Hi All,

We have an ASA 5540 running SSL VPN.  We are looking for a way to prevent users who have personal laptops from using their logon credentials to put their personal laptops on our network.  Most users have a company issued laptop but we had a problem where one of those users put his personal laptop on our network by loading the Anyconnect client and using his credentials.

Thanks for your help.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Todd Pula Fri, 02/19/2010 - 09:46

You can look into Cisco Secure Desktop and Dynamic Access Policies to limit network access to only those machines that meet the configured policy.  For example, you could have CSD scan for the presence of a registry key or seed file and permit or deny access.  You can combine this with DAP for very granular control.  For example, a corporate PC should be allowed AnyConnect access while a home PC should only be allowed clientless access.  This could be accomplished using the above features available with SSL VPN.

jimsiff Sun, 02/21/2010 - 02:32

Another option that goes a step further than just CSD registry, file, and process checks would be to implement Certificates for corporate PCs and use the Certificate as a second authentication factor for AnyConnect.  This helps strengthen your security posture as well as make it more difficult for personal PCs to logon.

If you have AD and an Enterprise PKI in place, it's relatively simple to deploy Certificate Templates that allow for Auto Enrollment.  Users would need to login to the AD domain using a domain joined PC to obtain the certificate.  If you mark the Private Key as non-exportable, it makes it more difficult to export the complete certificate.

If you just use CSD and DAP to check registry entries, I would push an obscure key to all PCs via AD Group Policy or some other automated method.  A good place to stash verification keys is a new CLSID under HKCR rather than something like HKLM\Software\%Corporation%\ManagedPC, which is obvious and easily duplicated on personal PCs.



This Discussion