We have a 3745 router with eight 28.8kbps analog modems on POTS lines and six digital modems (56K capable) attached to three ISDN BRI lines. The router functions as a small dial-up access server. It uses Windows 2000 RADIUS (IAS) to validate username/password against Active Directory, and determine whether the user name has remote dial-in permission.

My question is: Can we block certain non-authorized machines (that is, users' home PCs) from using a modem, valid login name and password, to gain dial-up access to the network? The users are supposed to use only the company-provided laptops.

Found out some users were having family at home dial-in and surf the Internet at the company's expense, saving the monthly recurring cost of an ISP account as well as running up the monthly toll-free line charges. Granted, these callers were forced to surf through the company's content filtering software, so they couldn't go everywhere they wanted. But these calls tied up dial-in ports during the day, causing some legitimate dial-ins to get busy signals. This was happening while employees with authorized laptops were at workplace.

Not looking to slap the users down, just want to tighten things up a little so the systems are only used by the machines for which they were intended.

I was thinking you could dial-up into the 3745 and use it as a front-end into a VPN Concentrator; and only the authorized laptops would have the VPN Client software loaded and properly configured.

Anybody else have any ideas?