Is it possible to bind a certificate to a computer, so that it should be identity of one device only like a mac address?
If it is not possible then can anyone tell wat is diff between a user or certificate based authentication except the encryption capability. Because some one can export his computer certificate and install it onto anyother computer and can then plug that pc into network even if that pc is not authorized. So where is the security?
My other point is when a staff owns a sigle user-id but he can access using that single user id to access the network from multiple devices simulitanously, my question is why cisco ise allows this? i must have had atleast this capability not to allow multiple simulitanous connections using a single id
One, MAC address can easily be spoofed, it's not really a proper means to uniquily idenity a machine.
Second, exporting certificate does is not a problem indeed, but certificate on itself only gived you information about public key, not the private. If you want to make full use of certificate you need to export also the private key.
I do not believe there is a feature in place to logins per-account (with exception of guest users).
However my information might not be up to date, feel free to verify with TAC folks or your SE.
If you are using AD GPO for certificate auto-enrollment, there is an option to NOT allow exportable private keys. If you think your template is incorrect then you will have to come up with a way to securely and safely issue the certificates that will not allow the private keys from being exported.
We do not recommend exporting the private key associated with a certificate because its value may be exposed. If you must export a private key, specify an encryption password for the private key. You will need to specify this password while importing this certificate into another Cisco ISE server to decrypt the private key.
Cisco ISE allows for a wide range of variables within authorization policies to ensure that only authorized users can access the appropriate resources when they access the network. The initial release of Cisco ISE supports only RADIUS-governed access to the internal network and its resources.
So, I hope both the points are restrictiable by ISE.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...