Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3941
Views
0
Helpful
2
Replies

ASA SSL VPN - Locking it down to corporate computers

Joshua Engels
Level 1
Level 1

‎02-19-2010 05:53 AM

Hi All,

We have an ASA 5540 running SSL VPN.  We are looking for a way to prevent users who have personal laptops from using their logon credentials to put their personal laptops on our network.  Most users have a company issued laptop but we had a problem where one of those users put his personal laptop on our network by loading the Anyconnect client and using his credentials.

Thanks for your help.

-Josh

Labels:
0 Helpful
2 Replies 2

Todd Pula
Level 7
Level 7

‎02-19-2010 09:46 AM

You can look into Cisco Secure Desktop and Dynamic Access Policies to limit network access to only those machines that meet the configured policy.  For example, you could have CSD scan for the presence of a registry key or seed file and permit or deny access.  You can combine this with DAP for very granular control.  For example, a corporate PC should be allowed AnyConnect access while a home PC should only be allowed clientless access.  This could be accomplished using the above features available with SSL VPN.

http://www.cisco.com/en/US/docs/security/csd/csd34/configuration/guide/csd34cfg.html

http://www.cisco.com/en/US/products/ps6120/products_white_paper09186a00809fcf38.shtml

0 Helpful

jimsiff
Level 1
Level 1

‎02-21-2010 02:32 AM

Another option that goes a step further than just CSD registry, file, and process checks would be to implement Certificates for corporate PCs and use the Certificate as a second authentication factor for AnyConnect.  This helps strengthen your security posture as well as make it more difficult for personal PCs to logon.

If you have AD and an Enterprise PKI in place, it's relatively simple to deploy Certificate Templates that allow for Auto Enrollment.  Users would need to login to the AD domain using a domain joined PC to obtain the certificate.  If you mark the Private Key as non-exportable, it makes it more difficult to export the complete certificate.

If you just use CSD and DAP to check registry entries, I would push an obscure key to all PCs via AD Group Policy or some other automated method.  A good place to stash verification keys is a new CLSID under HKCR rather than something like HKLM\Software\%Corporation%\ManagedPC, which is obvious and easily duplicated on personal PCs.

Jim

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents