vpn-nac-exempt

vadim.kharchenko · ‎05-27-2008

I want to allow vpn session from remote user only if this computer domain = mydomain.ru

for example:

In my company i have many users who work on notebook. And i want to allow only vpn session from this notebooks.

Its possible if I use this command? (vpn-nac-exempt)

And if possible - what attributes this command need

vadim.kharchenko · ‎05-27-2008

Sorry i forgot write this:

I have asa 7.2

Amadou TOURE · ‎05-28-2008

Hello,

Do you use certificates or pre-shared key ?

vadim.kharchenko · ‎05-28-2008

Yes - i used pre shared key on vpn (ipsec)

Just if user setup cisco vpn client to another computer, they connect to my asa... But if new computer have virus or else?

That is why I want to allow access to vpn only on computer who include my domain.

Amadou TOURE · ‎05-28-2008

Hello,

vpn-nac-exempt is used to exempt workstation that match the OS specified in the command options from NAC posture validation.

Do you have a NAC server which posture remote access users ?

vadim.kharchenko · ‎05-28-2008

No :(

Amadou TOURE · ‎05-28-2008

In this case, I'm sorry but I don't know how you could do it without NAC server.

1. With PKI, it's possible to verify the domain which the certificate belongs before accepting the ipsec request

2. with authentication server (ACS for example), users may provide userid like user@domain and you apply specific profile.

But I know that these solutions don't fit exactly your request.