We are considering deploying VPN3002 devices to remote sites, to connect to the corporate network over Cable/DSL ISP connections. However, if the device is stolen it could be connected to any ISP (as DHCP is configured on the public interface) and then connect into our internal network. In some cases, it may be possible to use "Interactive Client Authentication" with a RSA SecurID token (as we do for dial-in and software VPN clients), but this would be impractical for some sites. Another option could be to obtain a static IP address for the public interface. We use CiscoSecure ACS for back-end authentication, but ACS just contains the static username/password as configured on the VPN3002 hardware client.
Can CSACS be set up only allow connections from VPN hardware clients with specific public IP addresses (given that the authentication request comes from the VPN Concentrator; not the VPN 3002 hardware client)?
An interesting question and from the network admin side I think the concern would be "What damage can be done before it is noticed that the box is gone?" Could xauth be used in some fashion to where the box may create a tunnel but no network resources could be accesed w/o proper credentials?
A very interesting question. I agree that the concern should be "What damage can be done before it is noticed that the box is gone?"
It is posssible to configure XAuth where each machine has to be authenticated before any network resources could be accessed. So without proper credentials no one would be able to access the network resources.
Since the 3.5 release of the 3002 - you can use the Unit Authentication feature. This feature is enabled on the VPN3000 concentrator side. Anyone who does not have the password to Authenticate the Unit cannot/will not be able to complete a Tunnel to the Headend. Even if you have Split Tunneling enabled - you will not be able to access the internet (sites in the clear) through the 3002 without first Authenticating the Unit. Unit Authentication uses Internal, Radius, NT & SecureID for Authentication types.
In conclusion - If unit authentication is enabled and someone steals your 3002 - they can't really use the box for much of anything...
I agree, the use of Unit Authentication coupled with token-based login would provide adequate security against the VPN3002 being stolen and would probably be adequate for a homeworker network.
However, if these are to replace ISDN routers (for example) to offer increased bandwidth, then for a site-wide network, user authentication is impractical. The same could be said of ISDN routers if they are stolen, but we do use CLI at the head-end to screen the calls.
Why not use Username/Password (NT Domain or Active Directory) authentication here for individual user authentication. In any case users will have accounts in them and ACS server can be configured to use the above databases.
Of course the Domain Controllers will have to be audited to look for failed logon attempts.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :